With client-side encryption you create and manage your own encryption keys. Keys you create arenot exported to AWS in clear text. Your applications encrypt data before submitting it to Amazon S3,and decrypt data after receiving it from Amazon S3. Data is stored in an encrypted form, with keysand algorithms only known to you. While you can use any encryption algorithm, and eithersymmetric or asymmetric keys to encrypt the data, the AWS-provided Java SDK offers Amazon S3client-side encryption features. https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf