As of last week, all new objects added to Amazon S3 now receives a base level of encryption. Amazon S3 automatically applies S3 managed server-side encryption (SSE-S3), which uses 256-bit Advanced Encryption Standard, free of cost. This encryption has no impact on performance and has been configured for trillions of objects by customers.
With this new base level of encryption, customers will be able to meet their encryption requirements without having to make any changes to applications. Customers still have the ability to change the default configuration to use customer-provided encryption keys (SSE-C) or AWS Key Management Service keys (SSE-KMS).
This update has Amazon S3 automatically applying SSE-S3 as the base level of Default Encryption setting on all new buckets and for existing buckets. This is done without the customer having to configure any encryption settings. If you’re an existing customer that has been using S3 Default Encryption configuration, nothing will change. The only thing that does change is that customers can no longer disable automatic encryption on new objects. No matter what, all new data uploaded to Amazon S3 will be encrypted.
You can find the automatic encryption status for new object uploads in AWS CloudTrail logs. Status will also begin to show in the S3 management console, S3 Inventory, S3 Storage Lens, and as an additional S3 API header in the AWS CLI and AWS SDK. Amazon says this S3 update applies to all AWS Regions, including the AWS GovCloud (US) Regions and AWS China Regions.
If you’re interested in using Amazon S3 as your cloud storage service, make sure to fill out our quick quote form to receive bids from our managed service providers (MSPs). Some of our customers have saved as much as 70% on their cloud storage costs, and using WindRate’s service is entirely free.