1. Home
  2. Training Library
  3. Storage (DVA-C01)

Overview of Encryption Mechanisms

Overview of Encryption Mechanisms
Overview
Difficulty
Beginner
Duration
1h 3m
Description

This course provides detail on the AWS Storage services relevant to the Developer - Associate exam.

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • An overview of Amazon S3
  • An understanding of storage classes
  • S3 versioning
  • Server-access logging
  • Object-level logging
  • Transfer Acceleration
  • Implementing access control policies
  • Cross-Origin Resource Sharing (CORS)
  • Encryption mechanisms, including:
    • SSE-S3
    • SSE-KMS
    • SSE-C
    • CSE-KSM
    • CSE-C
Transcript

Depending on your requirements, one method of encryption may be more appropriate than another. To help you decide, here is a quick overview of each. 

Server-side encryption with S3 managed keys, SSE-S3. This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to upload your data and S3 will handle all other aspects. 

Server-side encryption with KMS managed keys, SSE-KMS. This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail. 

Server-side encryption with customer provided keys, SSE-C. This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you. 

Client-side encryption with KMS, CSE-KMS. Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored. 

Client-side encryption with customer provided keys, CSE-C. Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage. 

Okay, that has given us a very high-level overview of the five different methods. Via a series of diagrams, I will now explain how the encryption and decryption process works for each.

About the Author
Avatar
Stuart Scott
AWS Content Director
Students
187352
Labs
1
Courses
158
Learning Paths
115

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.