         | Did this page help you? Yes No Tell us about it... |
Using Server-Side Encryption
Topics
- API Support for Server-Side Encryption
- Specifying Server-Side Encryption Using the AWS SDK for Java
- Specifying Server-Side Encryption Using the AWS SDK for .NET
- Specifying Server-Side Encryption Using the AWS SDK for PHP
- Specifying Server-Side Encryption Using the AWS SDK for Ruby
- Specifying Server-Side Encryption Using REST API
- Specifying Server-Side Encryption Using the AWS Management Console
Server-side encryption is about data encryption at rest, that is, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, the pre-signed URL works the same way for both encrypted and unencrypted objects.
In client-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools. Server-side encryption is an alternative to client-side encryption in which Amazon S3 manages the encryption of you data freeing you from the tasks of managing encryption and encryption keys.
Amazon S3 Server Side Encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotate. Amazon S3 Server Side Encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
You can specify data encryption at the object level. When you upload an object, you can
explicitly specify in your request if you want Amazon S3 to save your object data encrypted.
Server-side encryption is optional. Your bucket might contain both encrypted and unencrypted
objects. Amazon S3 supports bucket policy that you can use if you require server-side
encryption for all objects that are stored in your bucket. For example, the following bucket
policy denies upload object (s3:PutObject) permission to everyone if the
request does not include the x-amz-server-side-encryption header requesting
server-side encryption.
{
"Version":"2008-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}Server-side encryption encrypts only the object data. Any object metadata is not encrypted.
API Support for Server-Side Encryption
The object creation REST APIs (see Specifying Server-Side Encryption Using REST API) provide a request header,
x-amz-server-side-encryption that you can use to request server-side
encryption. The AWS SDKs also provide wrapper APIs for you to request server-side
encryption. You can also use the AWS Management Console to upload objects and request
server-side encryption.
