Amazon will now encrypt all data in S3 buckets with AES-256 by default. That server-side encryption had been available for S3 for some time, but was never on by default. Administrators can still decide for themselves whether they want to use alternative encryption.
Amazon writes that it will immediately enable standard encryption for all users. In practice, that means that any new objects uploaded to a Simple Storage Service or S3 bucket on Amazon Web Services are automatically encrypted on the server side. This is done with AES-256.
By default, AWS’s own encryption scheme is used, which Amazon simply calls SSE-S3. In addition, it is also possible to use your own encryption keys, which are called SSE-C or Customer, or to use AWS Key Management Service keys, abbreviated SSE-KMS. Bucket administrators can also encrypt objects on the client through software such as the S3 Encryption Client.
Server-side encryption for S3, also known as SSE-S3, has been optional in AWS buckets since 2011. It wasn’t a hidden feature either; admins could easily enable it from the settings. But this is the first time that encryption has become the standard.
Amazon says that while it was easy to enable, with new buckets, administrators always had to check that their new buckets were configured correctly and continuously verify that they were. Amazon says the feature is especially interesting for companies that find it important that their AWS data remains encrypted at rest by default so that they can continue to comply.
Another factor is that data leaks from open AWS buckets may occur less in this way. In the past, major data leaks regularly came out, such as when researchers found an unsecured bucket with hundreds of gigabytes of data, or in 2019 when data from 22,000 Facebook users was found on an unsecured AWS server . It is not known in how many cases S3 admins will or will not enable the encryption option, but making that the default will make such open buckets less of a problem for scrapers.
