开始准备AWS Developer认证考试--服务器端加密保护数据S3

使用具有 Amazon S3 托管密钥的服务器端加密 (SSE-S3) – 使用唯一密钥加密每个对象。作为额外的保护，它将使用定期轮换的主密钥对密钥本身进行加密。Amazon S3 服务器端加密使用可用的最强数据块密码之一（即 256 位高级加密标准 (AES-256)）来加密您的数据。有关更多信息，请参阅 使用具有 Amazon S3 托管加密密钥的服务器端加密 (SSE-S3) 保护数据。

使用具有 AWS KMS 托管密钥的服务器端加密 (SSE-KMS) – 与 SSE-S3 类似，但使用此服务有一些额外好处以及一些额外费用。使用信封密钥（即，envelope key保护数据的加密密钥的密钥）需要单独的权限，信封密钥可进一步防止未经授权地访问 Amazon S3 中的对象。SSE-KMS 还提供您的密钥的使用时间和使用者的审核跟踪。此外，您可以选择自己创建和管理加密密钥，或使用对您所使用的服务和您的工作区域来说具有唯一性的默认密钥。有关更多信息，请参阅使用具有 AWS KMS 托管密钥的服务器端加密 (SSE-KMS) 保护数据。

使用具有客户提供密钥的服务器端加密 (SSE-C) – 您管理加密密钥，而 Amazon S3 管理加密（在它对磁盘进行写入时）和解密（在您访问您的对象时）。有关更多信息，请参阅 通过使用客户提供的加密密钥的服务器端加密 (SSE-C) 保护数据。

Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

Use Server-Side Encryption with Keys Stored in AWS KMS (SSE-KMS) – Similar to SSE-S3, but with some additional benefits along with some additional charges for using this service. There are separate permissions for the use of an envelope key (that is, a key that protects your data‘s encryption key) that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you‘re using, and the Region you‘re working in. For more information, see Protecting Data Using Server-Side Encryption with keys stored in AWS KMS(SSE-KMS).

Use Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. For more information, see Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).