Server-Side Encryption
You can configure the destination to use Amazon Web Services server-side encryption (SSE) to protect data written to Amazon S3. When configured for server-side encryption, the destination passes required server-side encryption configuration values to Amazon S3. Amazon S3 uses the values to encrypt the data as it is written to Amazon S3.
When you enable server-side encryption for the destination, you select one of the
following ways that Amazon S3 manages the encryption keys:
- Amazon S3-Managed Encryption Keys (SSE-S3)
- When you use server-side encryption with Amazon S3-managed keys, Amazon S3 manages the encryption keys for you.
- AWS KMS-Managed Encryption Keys (SSE-KMS)
- When you use server-side encryption with AWS Key Management Service (KMS), you specify the Amazon resource name (ARN) of the AWS KMS master encryption key that you want to use. You can also specify key-value pairs to use for the encryption context.
- Customer-Provided Encryption Keys (SSE-C)
- When you use server-side encryption with customer-provided keys, you specify
the following information:
- Base64 encoded 256-bit encryption key
- Base64 encoded 128-bit MD5 digest of the encryption key using RFC 1321
For more information about using server-side encryption to protect data in Amazon S3, see the Amazon S3 documentation.