Server Side Encryption with S3 Managed Key (SSE-S3)
Amazon S3 manages encryption keys for you, the data upload and retrieval is fully transparent, the file is encrypted automaticaly before saving to S3 and decrypted automatically when you request it.
This is the first server side encryption method supported by Amazon S3, it was announced by Amazon S3 Team in 2011.
When you upload the file to SSE-S3 enabled bucket, the new encryption key is generated for an each file, then Amazon S3 encrypts the file using generated encryption key and encrypts the key itself with the S3 Master Key which is rotates regularly.
Encrypted file is stored on Amazon S3 with the metadata containing the encryption key, which is encrypted with S3 Master Key. The metadata is stored in plain-text form.
Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
The file is decrypted automatically when you request it - Amazon S3 reads decryption key from the metadata and decrypts it using S3 Master Key, the resulting key is used to decrypt the file which is served back to the customer.
Encryption with CMKs stored in AWS KMS (SSE-KMS)
Server-Side Encryption with Customer Master Keys (CMKs) stored in AWS Key Management Service (SSE-KMS) provides you with more flexibility regarding the keys - you can create, rotate, and disable customer managed CMKs. You can also define access controls and audit the customer managed CMKs.
When you upload the file to SSE-KMS enabled bucket, S3 requests encryption key from KMS, KMS generates encryption key and sends it back to S3, Amazon S3 uses generated encryption key to encrypt the file. Encrypted file is stored on the disk, the encryption key is encrypted itself using the CMK and stored with the file in metadata.
When you request the file Amazon S3 reads the decryption key from the metadata and decrypts it using CMK, the resulting key is used to decrypt the file which is served back to the customer.
Amazon Managed CMKs vs Customer Managed CMKs
You can use the default AWS managed CMK, or you can specify a customer managed CMK that was created before.
If you would like to use the Customer Managed CMK, you need to create it first via the AWS Management Console (KMS) or using the KMS API.
If you do not specify the Customer Managed CMK, the region-specific Amazon Managed CMK is created automatically when you add the object to SSE-KMS enabled bucket for the first time. It is used for all further requests that do not specify Customer Managed CMK.
Encryption with customer-provided encryption keys (SSE-C)
You may use your own encryption keys in order to encrypt data on Amazon S3. In this case Amazon S3 only encrypts and decrypts files and you manage the keys.
When you upload the file wuth SSE-C parameters, Amazon S3 reads the encryption key from your request and uses it to encrypt the file, it also generates salted HMAC hash of the key to validate decryption key when you request the file back. Encrypted file with the key hash is stored on S3. The encryption key is removed from the memory once the file is encrypted and the hash generated.
You provide the decryption key when you request the file and Amazon S3 calculates the key hash to compare it with the hash stored with the file, if the hashes match, the provided decryption key is used to decrypt the file. Decrypted file is served to you. The decryption key is removed from the memory.
Additional resources on SSE support in S3 Browser
"S3 Browser is an invaluable tool to me as a web developer to easily manage my automated site backups" -Bob Kraft, Web Developer
"Just want to show my appreciation for a wonderful product. I use S3 Browser a lot, it is a great tool." -Gideon Kuijten, Pro User
"Thank You Thank You Thank You for this tool. A must have for anyone using S3!" -Brian Cummiskey, USA