Can someone please explain the use-case for SSE-KMS vs SSE-C for encrypting the content of S3 bucket. To the best of my understanding I may use either technique in case I own an encryption key with which I wish to encrypt the content (as KMS allows to import external key). Which of the two I should use ?
Kind Regards,
1 Answer
That's correct. The main difference between SSE-KMS and SSE-C is who manages the encryption key.
SSE-C
If you want to manage the encryption key yourself, you need to include that encryption key as part of every request to S3. If you lose the encryption key, you lose all the objects that are encrypted by this key.
SSE-KMS
If you store it in KMS, you don't need to include it in the requests to S3. Instead, just upload/download your files normally and KMS will talk to S3 and handle that for you.