Simply put
Server-side encryption (SSE) is a method of encrypting data at rest on
a server or storage system. SSE ensures that data is encrypted before
it's stored on the server, thereby protecting it from unauthorized
access.
There are typically three variants of SSE:
-
SSE-S3 (Server-Side Encryption with Amazon S3): This is offered by AWS for objects stored in Amazon S3 (Simple Storage Service). With SSE-S3, Amazon S3 manages the encryption keys, providing an easy-to-use solution for encrypting data stored in S3 buckets.
-
SSE-KMS (Server-Side Encryption with AWS Key Management Service): With SSE-KMS, the keys used for encryption are managed through AWS Key Management Service (KMS). This provides additional security and control over the encryption keys, allowing for more granular access management and audit capabilities.
-
SSE-C (Server-Side Encryption with Customer-Provided Keys): SSE-C allows customers to provide their own encryption keys, which are used to encrypt and decrypt data stored in the cloud. With SSE-C, the cloud storage provider handles the encryption and decryption process, but the keys are managed by the customer, providing greater control over data security.
See
https://www.learnaws.org/2022/10/09/aws-s3-server-side-encryption/