If it is so easy to turn on SSE with just SSE-S3, why not do it all the time? Are there latency concerns for read/write? Any other downsides?
3 Answers
the default answer is "always encrypt everything"…:-). There are no performance downsides to using AWS service-based encryption. When using AWS-managed encryption it’s just a setting and you never reference it again. Encryption can get complex when using KMS and customer-managed keys. Overall it’s best practice to encrypt everything at rest and in transit.
While you are on the right train of thought, I think the only main reason you might want to turn it off is because you plan to manage encryption yourself using alternative methods which AWS managed encryption may interfere with.
It does bring about an interesting question though. If this is the main kind of use case where a customer would possibly not want encryption enabled, why isn’t it enabled by default? AWS does a fantastic job with default firewall rules via bucket policy’s and ACL’s, why do they seem to stop short when it comes to encryption sensitive data?
There are a couple ways to think about this. To directly answer your question, there really isn’t a DOWNSIDE to encrypting. As you dive further into your AWS studies, you will find there are certain KMS metrics/limits you have to be aware of… as well as really know why you or your organization should use one type of encryption over another. You should know what happens when you encrypt your objects with SSE-S3 and then make your bucket public (hint in case you didn’t know, everyone will still have access due to the type of encryption and public access).
With that said, in my opinion, you should architect based on least privilege access, best practices for the architecture you’re deploying, and WHAT YOU NEED. If you have a bunch of images you do not care about (IE not sensitive content), why would you encrypt them? It does not makes sense to add encryption (whether they become public or not) in this case. If you have data files (let’s say sensitive database backups in a .gz format) in S3, you probably want to ensure they are encrypted with the right type of encryption that meets your needs (and you probably do not want SSE-S3 encryption). There are many more examples of this. Best practices in 1 case does not equal best practices in every other case. I hope this helps.
This is not the answer but it is nice to think about: https://security.stackexchange.com/questions/8765/what-does-amazons-s3-server-side-encryption-protect-against
There is no ‘downside’ for SSE, and yes, always encrypt your stuff. That should be an automated reaction. The reason there’s also client-side encryption is that some companies are on security level "paranoid" and want to or have to be in total control of the whole process. SSE is easier and safe, but sometimes there are company rules or even legal rules for DIY encryption.