Here are options for AWS S3 encryption...
(ref: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html)
Fastest implementation is using SSE-S3, most secure implementation is using CSE-KMS, middle ground implementation is using SSE-KMS.
Overview of Types:
Server Side Encrypyion (SSE) - this ensures encrypted files in storage
Key Management Options:
- SSE-S3 Managed Keys - keys handled by S3
- enable through AWS Management Console or HTTP request header
- SSE-KMS (Key Management Service) - master encryption key is used to encrypt encryption keys
- keys managed by AWS-KMS
- specify id of aws-kms-key to use for encryption
- SSE-C (Client) - master encryption key is used to encrypt encryption keys
- keys managed by client
Client Side Encryption (CSE) - this ensures encrypted files before being sent to storage
Key Management Options:
- CSE-KMS (Key Management Service) - master keys are managed by AWS-KMS
- CSE-C (Client) - master keys are managed by the client
AWS KMS cost is $1 per key and $0.03 / 10,000 requests, as of writing.
As stated earlier, SSE-S3 for quickest, and CSE-KMS for most secure, and SSE-KMS for middle ground implementation.
