# Encryption best practices for Amazon S3
<a name="s3"></a>

[Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

For server-side encryption in Amazon S3, there are three options:
+ [Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html)
+ [Server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html)
+ [Server-side encryption with customer-provided encryption keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html)

Amazon S3 applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS Command Line Interface (AWS CLI) and AWS SDKs. For more information, see [Default encryption FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html).

If server-side encryption is used to encrypt an object at the time of upload, add the `x-amz-server-side-encryption` header to the request to tell Amazon S3 to encrypt the object using SSE-S3, SSE-KMS, or SSE-C. The following are the possible values for the `x-amz-server-side-encryption` header:
+ `AES256`, which tells Amazon S3 to use Amazon S3 managed keys.
+ `aws:kms`, which tells Amazon S3 to use AWS KMS managed keys.
+ Setting value as `True` or `False` for SSE-C

For more information, see *Defense-in-depth requirement 1: Data must be encrypted at rest and during transit* in [How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data](https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/) (AWS blog post).

For [client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) in Amazon S3, there are two options:
+ A key stored in AWS KMS
+ A key that is stored within the application

Consider the following encryption best practices for this service:
+ In AWS Config, implement the [s3-bucket-server-side-encryption-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html) AWS managed rule to validate and enforce S3 bucket encryption.
+ Deploy an Amazon S3 bucket policy that validates that all objects being uploaded are encrypted using the `s3:x-amz-server-side-encryption` condition. For more information, see the example bucket policy in [Protecting data using SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) and the instructions in [Adding a bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html).
+ Allow only encrypted connections over HTTPS (TLS) by using the `aws:SecureTransport` condition on S3 bucket policies. For more information, see [What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/)
+ In AWS Config, implement the [s3-bucket-ssl-requests-only](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html) AWS managed rule to require requests to use SSL.
+ Use a customer managed key when you need to grant cross-account access to Amazon S3 objects. Configure the key policy to allow access from another AWS account.