If it is so easy to turn on SSE with just SSE-S3, why not do it all the time? Are there latency concerns for read/write? Any other downsides?
the default answer is "always encrypt everything"…:-). There are no performance downsides to using AWS service-based encryption. When using AWS-managed encryption it’s just a setting and you never reference it again. Encryption can get complex when using KMS and customer-managed keys. Overall it’s best practice to encrypt everything at rest and in transit.
While you are on the right train of thought, I think the only main reason you might want to turn it off is because you plan to manage encryption yourself using alternative methods which AWS managed encryption may interfere with.
It does bring about an interesting question though. If this is the main kind of use case where a customer would possibly not want encryption enabled, why isn’t it enabled by default? AWS does a fantastic job with default firewall rules via bucket policy’s and ACL’s, why do they seem to stop short when it comes to encryption sensitive data?
There are a couple ways to think about this. To directly answer your question, there really isn’t a DOWNSIDE to encrypting. As you dive further into your AWS studies, you will find there are certain KMS metrics/limits you have to be aware of… as well as really know why you or your organization should use one type of encryption over another. You should know what happens when you encrypt your objects with SSE-S3 and then make your bucket public (hint in case you didn’t know, everyone will still have access due to the type of encryption and public access).
With that said, in my opinion, you should architect based on least privilege access, best practices for the architecture you’re deploying, and WHAT YOU NEED. If you have a bunch of images you do not care about (IE not sensitive content), why would you encrypt them? It does not makes sense to add encryption (whether they become public or not) in this case. If you have data files (let’s say sensitive database backups in a .gz format) in S3, you probably want to ensure they are encrypted with the right type of encryption that meets your needs (and you probably do not want SSE-S3 encryption). There are many more examples of this. Best practices in 1 case does not equal best practices in every other case. I hope this helps.