Core concept
SSE-S3: AES-256, AWS managed. Free. Default. SSE-KMS: KMS-managed keys. Audit trail via CloudTrail. Small per-op cost.
Advertisement
How it works
SSE-C: you provide key each request. AWS never stores. Advanced use case.
Advertisement
Trade-offs + gotchas
SSE-KMS for most (audit + rotation). SSE-C for regulated where AWS must never see keys. Client-side for zero-trust cloud.