Architecture

Encryption / KMS

The combination of data encryption (at rest and in transit) with key management service (KMS) integration to protect S3-stored data, including server-side encryption (SSE-S3, SSE-KMS, SSE-C) and client-side encryption patterns.

10 connections 3 resources

Summary

What it is

Where it fits

Encryption/KMS is the data protection layer for S3-based lakehouses. It ensures that even with direct S3 access, data is unreadable without appropriate key permissions. KMS integration enables key rotation, envelope encryption, and audit trails of key usage.

Misconceptions / Traps

Server-side encryption (SSE) protects data at rest on S3 disks but does not prevent authorized IAM principals from reading decrypted data. SSE is a compliance control, not an access control.
SSE-KMS adds a KMS API call per object read/write. At high request volumes, KMS throttling (default 10,000 requests/second per region) becomes a bottleneck.
Client-side encryption provides stronger protection (data is encrypted before reaching S3) but prevents server-side features like S3 Select, Athena pushdown, and S3 Intelligent-Tiering from operating on the data.

Key Connections

scoped_to S3, Object Storage — encryption of S3-stored data
enables Compliance-Aware Architectures — encryption is a baseline regulatory requirement
enables PII Tokenization — KMS underpins tokenization key management
constrains Request Pricing Models — KMS calls add per-request cost

Definition

What it is

The practice of encrypting data at rest on S3 using server-side encryption (SSE-S3, SSE-KMS, SSE-C) or client-side encryption, with key management handled by AWS KMS or an external key management service.

Why it exists

S3 data at rest is vulnerable to unauthorized access through misconfigured bucket policies, leaked credentials, or insider threats. Encryption ensures that even if storage is compromised, data remains unreadable without the correct decryption keys.

Primary use cases

Compliance-mandated encryption for S3 data lakes, customer-managed key (CMK) encryption for sensitive datasets, cross-account key sharing for multi-tenant lakehouses.

Recent developments

Latest signals

SSE-C disabled by default for all new buckets (April 2026). Amazon S3 deployed an update so all new general-purpose buckets reject SSE-C write requests by default — the response to the Codefinger ransomware campaign that abused SSE-C to encrypt victim buckets with attacker-held keys (unrecoverable without paying). Per AWS Storage Blog — Advanced Notice: S3 to Disable SSE-C by Default April 2026.
SSE-KMS with customer-managed keys is the "sweet spot" for most teams. 2026 best-practice consensus: AWS-managed keys are too opaque for compliance; SSE-C is now disabled by default; customer-managed KMS keys hit the right tradeoff — control + auditability without raw key material management. Per Medium — AWS S3 Encryption with Customer-Managed Keys via SSE-KMS.
DSSE-KMS: dual-layer AES-256 for FIPS / NSA CNSA-mandated workloads. DSSE-KMS applies two independent layers of AES-256 — first with a KMS data key, then with an S3-managed encryption key. The compliance bar that pure SSE-KMS doesn't clear for federal / defense workloads. Per AWS Docs — Protecting Data with Server-Side Encryption.
S3 Bucket Keys are the cost-efficient SSE-KMS production default. Up to 99% KMS request-cost reduction by generating a bucket-level key reused for objects in a time window. Without Bucket Keys, SSE-KMS hits both KMS request limits and budget at scale. Per AWS Docs — Using SSE-KMS.
5-tier encryption decision tree: SSE-S3 / SSE-KMS-AWS / SSE-KMS-CMK / DSSE-KMS / CSE. The 2026 consolidating decision tree: start with SSE-KMS + customer-managed key + Bucket Keys for most workloads; promote to DSSE-KMS for federal/defense; use CSE (client-side encryption) only for "S3 must never see plaintext key material" use cases. Per Go-Cloud — S3 Encryption Types Guide 2026.
Databricks documents KMS-S3 configuration as standard infra. Databricks-on-AWS now treats SSE-KMS + customer-managed keys as the documented baseline configuration — confirms the pattern has graduated from "additional security control" to "default configuration step." Per Databricks Docs — Configure Encryption for S3 with KMS.