1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Using Amazon S3 Bucket Properties & Management Features to Maintain Data

Default Encryption


3m 40s

The course is part of these learning paths

Deep Dive: Amazon S3
Technical Essentials of AWS
Serverless Platform Services on AWS
AWS Machine Learning – Specialty Certification Preparation
more_horizSee 3 more
Start course

This course will look at some of the management and bucket property features that Amazon S3 has to offer, and how you can use them to maintain and control your data. There are a number of different features available and you may be familiar with some of them, and others perhaps not so much, so this course has been designed to give you a full overview of what is available to you. 

If you have any feedback, queries, or comments relating to this course, feel free to reach out to us at support@cloudacademy.com.

Course Objectives

The main objective of this course is to introduce and explain the available properties that are configurable at the bucket level that Amazon S3 has to offer to help you manage and administer your data effectively. 

Intended Audience

This course has been designed for:

  • Storage and operations engineers responsible for maintaining and storing data within the enterprise
  • AWS Architects who are designing new solutions requiring data storage capabilities
  • Those who are looking to begin their certification journey with either the AWS Cloud Practitioner or one of the three Associate-level certifications


This is an intermediate level course to AWS storage services and, therefore, to get the most out of this course, you should have some basic knowledge of Amazon S3. For more information related to this service, please see our existing course entitled Introduction to Amazon S3.



Hello and welcome to this lecture covering the default encryption options for your S3 buckets. Whenever you have sensitive data being stored in S3 it’s imperative to have some level of encryption enabled as an additional layer of security to protect your data.

Using default encryption, you are able to set a default encryption mechanism for every new object that is uploaded to the bucket. However, please note that for any objects that are already in your bucket prior to enabling default encryption, they will NOT be encrypted.

To enable default encryption on a particular bucket you can select the ‘Default Encryption’ tile from the bucket properties tab. This will enable you to configure one of 2 different default encryption options. AES-256, also known as SSE-S3 which stands for Server-side encryption using S3 managed keys, and AWS-KMS, this is often referred to as SSE-KMS which stands for Server-side encryption using KMS managed keys. KMS is the Key Management Service. If you are unfamiliar with this service you can learn more about it in this course here.

Let me explain both of these types of encryption at a high level, starting with SSE-S3. Server-Side Encryption with S3 Managed Keys, SSE-S3 Server-side encryption with S3 managed keys, SSE-S3 requires minimal configuration and all management of the encryption keys used are managed by AWS. All you need to do is to upload your data and S3 will handle all other aspects, making the encryption seemingly invisible to the end-user.

The encryption process. Firstly, a client uploads Object Data to S3 S3 then takes this Object Data and encrypts it with an S3 Plaintext Data Key. This creates an encrypted version of the Object Data, which is then saved and stored on S3 Next, the S3 Plaintext Data Key is encrypted with an S3 Master Key, which creates an encrypted S3 Data Key. This encrypted Data Key is then also stored on S3 and the Plaintext Data Key is removed from memory.

For the decryption process, a request is made by the client to S3 to retrieve the Object Data. S3 takes the associated encrypted S3 Data Key of the Object Data and decrypts it with the S3 Master Key. The S3 Plaintext Data Key is then used to decrypt the object data. This object data is then sent back to the client.

Now let’s look at Server-Side Encryption with KMS Managed Keys, SSE-KMS. SSE-KMS allows S3 to use the key management service (KMS) to generate your data encryption keys. Using KMS gives you far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and audit against their usage using AWS Cloud Trail.

The encryption process is as follows. Firstly, a client uploads object data to S3. S3 then requests data keys from a KMS-CMK. Using the specified CMK, KMS generates two data keys, a plain text data key and an encrypted version of the same data key. These two keys are then sent back to S3. S3 then combines the object data and the plain text data key to perform the encryption. This creates an encrypted version of the object data which is then stored on S3 along with the encrypted data key. The plain text data key is then removed from memory.

For the decryption process, a request is made by the client to S3 to retrieve the object data, then S3 sends the associated encrypted data key of the object data to KMS. KMS then uses the correct CMK with the encrypted data key to decrypt it and create a plain text data key. This plain text data key is then sent back to S3. The plain text data key is then combined with the encrypted object data to decrypt it. This decrypted object data is then sent back to the client.

If you would like to learn more about other encryption available to use within S3 outside of the default encryption options, including Server-side encryption using customer-managed keys (SSE-C), Client-side encryption using KMS managed keys (CSE-KMS), Client-side encryption using customer-managed keys (CSE-C), then see our existing course here.



Introduction - Versioning - Server-Access Logging - Static Website Hosting - Object-Level Logging - Object Lock - Tags - Transfer Acceleration - Events - Requester Pays - Summary

About the Author
Stuart Scott
AWS Content Director
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 140,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.