In the KMS lesson, Ryan intially uses KMS encryption and the file is not accessible from the public URL. When he switches it to S3 encryption, he can see it. Why is this? Why doesn’t S3 encryption block access also? What is the point of the S3 encryption option if this is possible?
Both SSE-KMS and SSE-S3 enable data encryption at rest. For SSE-KMS, it requires permissions to both data and master key to 1) access the data and 2) have it decrypted. For SSE-S3, AWS encrypts the data before saving it and decrypt the data when retrieved. I.e., permission to the data will automatically gives you permission to S3 encryption key.