Core concept

SSE-S3: AES-256, AWS managed. Free. Default. SSE-KMS: KMS-managed keys. Audit trail via CloudTrail. Small per-op cost.

Advertisement

How it works

SSE-C: you provide key each request. AWS never stores. Advanced use case.

Advertisement

Trade-offs + gotchas

SSE-KMS for most (audit + rotation). SSE-C for regulated where AWS must never see keys. Client-side for zero-trust cloud.