Three types of SSE supported.
- SSE-C - client provides data encryption key for every get/put object calls. AWS S3 does not store client provided data encryption key. Client provided data encryption key may be generated by AWS KMS for every get/put object calls. It is user responsibility to securely save/map data encryption keys generated by KMS and AWS S3 does not store any data encryption key.
- SSE-S3 - client does not provide any encryption key for any get/put object calls. AWS S3 uses one single key (generated at first time) to encrypt/decrypt objects. Accordingly AWS docs, this key is stored along with object data.
- SSE-KMS - client provides Customer Master Key (CMK) for any get/put object calls. AWS S3 uses client's provided CMK to generate data keys using KMS to encrypt/decrypt objects. This data key is encrypted using KMS and is stored along with object data.
Below bucket policy prevents uploading unencrypted objects (even by owner/auth user).
- S