Key Storage Encryption
Location
Requirement Recommendation
Customer in S3 You want to manage the keys
(including rotation) outside AWS
SSE with CustomerProvided Keys (SSE-C)
KMS in S3 Easy Management of Keys.
Auditing.
SSE with Customer
Master Keys (SSE-KMS)
KMS in S3 You want Encryption but Don't
want Management
SSE with Amazon S3-
Managed Keys (SSES3)
Customer (master key
stored within your app)
On
Premises
CSE (Amazon S3
encryption client)
KMS On
Premises
CSE (Amazon S3
encryption client)