Architecture

Encryption / KMS

The combination of data encryption (at rest and in transit) with key management service (KMS) integration to protect S3-stored data, including server-side encryption (SSE-S3, SSE-KMS, SSE-C) and client-side encryption patterns.

10 connections 3 resources

Summary

What it is

The combination of data encryption (at rest and in transit) with key management service (KMS) integration to protect S3-stored data, including server-side encryption (SSE-S3, SSE-KMS, SSE-C) and client-side encryption patterns.

Where it fits

Encryption/KMS is the data protection layer for S3-based lakehouses. It ensures that even with direct S3 access, data is unreadable without appropriate key permissions. KMS integration enables key rotation, envelope encryption, and audit trails of key usage.

Misconceptions / Traps
  • Server-side encryption (SSE) protects data at rest on S3 disks but does not prevent authorized IAM principals from reading decrypted data. SSE is a compliance control, not an access control.
  • SSE-KMS adds a KMS API call per object read/write. At high request volumes, KMS throttling (default 10,000 requests/second per region) becomes a bottleneck.
  • Client-side encryption provides stronger protection (data is encrypted before reaching S3) but prevents server-side features like S3 Select, Athena pushdown, and S3 Intelligent-Tiering from operating on the data.
Key Connections
  • scoped_to S3, Object Storage — encryption of S3-stored data
  • enables Compliance-Aware Architectures — encryption is a baseline regulatory requirement
  • enables PII Tokenization — KMS underpins tokenization key management
  • constrains Request Pricing Models — KMS calls add per-request cost

Definition

What it is

The practice of encrypting data at rest on S3 using server-side encryption (SSE-S3, SSE-KMS, SSE-C) or client-side encryption, with key management handled by AWS KMS or an external key management service.

Why it exists

S3 data at rest is vulnerable to unauthorized access through misconfigured bucket policies, leaked credentials, or insider threats. Encryption ensures that even if storage is compromised, data remains unreadable without the correct decryption keys.

Primary use cases

Compliance-mandated encryption for S3 data lakes, customer-managed key (CMK) encryption for sensitive datasets, cross-account key sharing for multi-tenant lakehouses.

Connections 10

Outbound 6
scoped_to2
S3Object Storage
enables2
PII TokenizationCompliance-Aware Architectures
solves1
Retention Governance Friction
constrained_by1
Request Pricing Models
Inbound 4
depends_on3
Tenant IsolationPII TokenizationCompliance-Aware Architectures
constrained_by1
SSE-C Encryption Hijacking

Resources 3

DocsHigh
docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryptio...

AWS documentation on S3 server-side and client-side encryption options including SSE-S3, SSE-KMS, and SSE-C.

DocsHigh
docs.aws.amazon.com/kms/latest/developerguide/overview.html

AWS KMS developer guide covering key management, key policies, and integration with S3 encryption for data-at-rest protection.

DocsHigh
docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.htm...

S3 Bucket Key documentation explaining how to reduce KMS request costs by up to 99% for encrypted object storage workloads.