Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption. You have the following options for protecting data at rest in Amazon S3:

  • Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.
  • Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Protecting data using server-side encryption

Server-side encryption is the encryption of data at its destination by the application or service that receives it. Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects. Additionally, when you list objects in your bucket, the list API returns a list of all objects, regardless of whether they are encrypted.

You have three mutually exclusive options, depending on how you choose to manage the encryption keys.

  • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
  • Server-Side Encryption with Customer-Provided Keys (SSE-C)

In this post we going to use Server-Side Encryption with Customer-Provided Keys (SSE-C)


  • AWS Account
  • AWS CLI installed
  • Openssl installed


  • Create an user with IAM with programmatic access and S3 permissions
  • Create an S3 bucket
  • Login with AWS CLI
  • Create a key with openssl
  • Upload a file providing the Key


  1. In AWS Management Console go to IAM

2. Click on Users

3. Click on Add user

4. Give it a name, in Access type select Programmatic access and click on Next

5. Select Attach existing policies directly, Search for S31FullAccess and select it, click on Next

6. Click on Next: Review

7. And click on Create user

8. Download the .csv file and click on Close

9. Go to S3

10. Click on Create bucket

11. Give it a name and click on Create bucket on the button page (the name need to be unique in all the AWS bucket namespaces)

12. Select the bucket and click on Copy ARN, paste it somewhere to used later.

13. Open a terminal and login with the csv data, the region the bucket are created and json as output format

aws configure
AWS Secret Access Key [None]: gjesfbu9cmHw5Ujjs5SOvItgOPEh6RmoFP7fc/0P
Default region name [None]: us-east-2
Default output format [None]: json
Use your own info

14. Create a key with openssl, in my case I'm going to called mykey, when you create it, it will return the key

openssl enc -aes-128-cbc -md sha512 -pbkdf2 -iter 100000 -k mykey -P
iv =732FC4C4272983EC2B90B1DF10519796

15. Create a two files for test, we going to use one for encryption and one without encryption

touch encrypted.txt unencrypted.txt
echo "This file is encrypted" > encrypted.txt
echo "This file is not encrypted" > unencrypted.txt

16. Upload the file to the bucket giving the key for encryption

aws s3 cp encrypted.txt s3://sse-c-test-bucket1/encrypted.txt --sse-c --sse-c-key DA4C800A1472FC602D16B10EC418687D

17. Upload the unencrypted file

aws s3 cp unencrypted.txt s3://sse-c-test-bucket1/unencrypted.txt

18. Go to S3

19. Select the bucket

19. An you will see the files there

20. Select the unencrypted.txt and click on Actions, Open

You can view the content, as this file is not encrypted

But if you try the same with the encrypted file you will see a error message

20. For download the files, is the same command, for unencrypted

aws s3 cp s3://sse-c-test-bucket1/unencrypted.txt unencrypted-file.txt
cat unencrypted-file.txt
This file is not encrypted

21. For download the encrypted file

aws s3 cp s3://sse-c-test-bucket1/encrypted.txt encrypted-file.txt --sse-c --sse-c-key DA4C800A1472FC602D16B10EC418687D
cat encrypted-file.txt
This file is encrypted

22. If you try to download the file without the key you will see an error

aws s3 cp s3://sse-c-test-bucket1/encrypted.txt encryptedfile.txt
fatal error: An error occurred (400) when calling the HeadObject operation: Bad Request

Great, you know how to encrypt and decrypt files using CMK's in the next post we going deeper into the AWS services


  1. In the AWS Management Console, go to AWS S3

2. Select the bucket we create for this lab and click on Empty

3. Confirm

4. Select the bucket and click on Delete

5. Confirm

6. From the terminal, delete the credentials

 rm ~/.aws/credentials ~/.aws/config
 rm -R ~/.aws

7. Go to IAM

8. Go to users

9. Select the user and click on Delete user

10. Confirm