You are viewing the preview version of this book
Click here for the full version.

Handling encrypted data

Code example

To see an implementation for each type of encryption, see this repository.

S3 objects can be encrypted when they are uploaded in one of the four different ways and depending on which one is used it might affect how downloading and uploading using signed URLs work.

The four encryption schemes:

  • SSE-S3
  • SSE-KMS with AWS Managed CMK
  • SSE-KMS with Customer Managed CMK
  • SSE-C

In this chapter we'll look into how each encryption can be implemented and what impact they have on signed URLs.

SSE-S3 and SSE-KMS with AWS Managed CMK

These two server-side encryptions are the so-called "seamless encryption" schemes, as the only thing required for them to work is to turn them on. Because of this, they require just a tiny amount of change in implementation.

The difference between the two encryptions is what service manages the keys for the encryption. In the case of SSE-S3, S3 stores and manages the key, while with SSE-KMS this responsibility is transferred to the KMS service. But apart from reading about it in the documentation, there are no observable differences between the two. And going further, there are no observable differences between using these encryptions and storing objects unencrypted.

Since they are "seamless encryption" schemes, no changes are required when you use signed URLs to download objects that use them.


To upload an object and configure S3 to also encrypt it, specify the x-amz-server-side-encryption field as either AES256 for SSE-S3 or aws:kms for SSE-KMS.

const data = await createPresignedPost(s3Client, {
  Bucket: process.env.BUCKET,
  Key: key,
  Fields: {
    // AES256 is SSE-S3
    // aws:kms is SSE-KMS
    "x-amz-server-side-encryption": "AES256",
    // ...
  Conditions: [
    // ..

SSE-KMS with Customer Managed CMK

There is more, but you've reached the end of this preview
Read this and all other chapters in full and get lifetime access to:
  • all future updates
  • full web-based access
  • PDF and Epub versions