1 Answers
Both SSE-KMS and SSE-S3 enable data encryption at rest. For SSE-KMS, it requires permissions to both data and master key to 1) access the data and 2) have it decrypted. For SSE-S3, AWS encrypts the data before saving it and decrypt the data when retrieved. I.e., permission to the data will automatically gives you permission to S3 encryption key.