SSE-S3: Amazon S3-Managed Encryption Keys
In SSE-S3, all keys and secrets are managed inside S3. This is the simplest encryption mechanism.
Enabling SSE-S3
To write S3-SSE encrypted files, the value of
fs.s3a.server-side-encryption-algorithm must be set to that of the
encryption mechanism used in core-site.xml; currently only
AES256 is supported.
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>AES256</value> </property>
Once set, all new data will be uploaded encrypted. There is no need to set this property when downloading data — the data will be automatically decrypted when read using the Amazon S3-managed key.
To learn more, refer to Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in AWS documentation.