To see an implementation for each type of encryption, see this repository.
S3 objects can be encrypted when they are uploaded in one of the four different ways and depending on which one is used it might affect how downloading and uploading using signed URLs work.
The four encryption schemes:
In this chapter we'll look into how each encryption can be implemented and what impact they have on signed URLs.
These two server-side encryptions are the so-called "seamless encryption" schemes, as the only thing required for them to work is to turn them on. Because of this, they require just a tiny amount of change in implementation.
The difference between the two encryptions is what service manages the keys for the encryption. In the case of SSE-S3, S3 stores and manages the key, while with SSE-KMS this responsibility is transferred to the KMS service. But apart from reading about it in the documentation, there are no observable differences between the two. And going further, there are no observable differences between using these encryptions and storing objects unencrypted.
Since they are "seamless encryption" schemes, no changes are required when you use signed URLs to download objects that use them.
To upload an object and configure S3 to also encrypt it, specify the x-amz-server-side-encryption
field as either AES256
for SSE-S3 or aws:kms
for SSE-KMS.
const data = await createPresignedPost(s3Client, {
Bucket: process.env.BUCKET,
Key: key,
Fields: {
// AES256 is SSE-S3
// aws:kms is SSE-KMS
"x-amz-server-side-encryption": "AES256",
// ...
},
Conditions: [
// ..
]
});