Which to choose, which to choose, there are a few options of encryption I’d like to go into. The two major being Server Side Encryption, SSE, and Client Side Encryption, CSE. SSE encrypts/decrypts objects on the server side while CSE does so on the client side. There are multiple types of SSE that I will go into. First off we have SSE-S3, this is the default encryption method used. It utilizes AES-256 encryption and is provided by AWS. You are not able to alter the keys at all it is all handles through AWS automatically. Following that we have SSE-KMS. This allows you to utilize the AWS KSM service so that you may create and manage keys yourself. It is important to note you could be bound by a KMS limit using this method as this will generate API calls and only so many of those are able to occur per second depending on how active your S3 bucket is. You can also use CloudTrail to monitor usage/alter these keys in SSE-KMS. Finally in the SSE ring we have SSE-C, this encryption method is used for customer provides keys, customer simply uploads object with key, S3 will encrypt it, then if customer wants to decrypt the object they send in a decryption key for S3 to utilize. The keys used are not remembered by S3 for SSE-C. HTTPS must be used if you are utilizing SSE-C as otherwise you would be sending encryption and decryption keys in the clear. Finally we have CSE, it’s very similar to SSE-C where customer provides the keys but in this case no keys are sent to S3, all encryption and decryption occurs client-side. Side note, in SSE-KMS you can utilize a S3 bucket key to reduce the amount of traffic going from S3 to AWS-KMS. This works by having S3 generate a bucket key and then for short period of time S3 will generate unique encryption keys using that bucket key rather than querying AWS-KMS for each and every individual key.