S3 Encryption | Notion

4 Encryption Methods

Method	Who Manages Keys	HTTPS Required
SSE-S3	AWS (fully)	No
SSE-KMS	AWS KMS (you control)	No
SSE-C	You (outside AWS)	Yes, mandatory
Client-Side	You (fully)	No

1. SSE-S3 — S3 Managed Keys

AWS manages everything, you do nothing
Encryption algorithm: AES-256
Enabled by default on all new buckets and objects
Header to set: "x-amz-server-side-encryption": "AES256"

How it works:

You --> upload file --> S3 encrypts it using its own managed key --> stores encrypted file
You --> download file --> S3 decrypts it automatically --> you get the file

Key never leaves AWS. You never see or touch it.

Use when: You just want basic encryption with no key management overhead.

2. SSE-KMS — KMS Managed Keys

Keys are stored and managed in AWS KMS
You control who can use the keys
Every key usage is logged in CloudTrail — full audit trail
Header to set: "x-amz-server-side-encryption": "aws:kms"

How it works:

You --> upload file --> S3 asks KMS for a key --> KMS provides key
                   --> S3 encrypts file --> stores encrypted file

You --> download file --> S3 asks KMS to decrypt --> KMS decrypts
                     --> S3 returns file to you

Every encrypt/decrypt goes through KMS — that is why every action is auditable.