Amazon S3 encrypts your object before saving it on disks in its data centers and decrypts it when youdownload the objects. You have two options depending on how you choose to manage theencryption keys: Server-side encryption and client-side encryption. Server-side encryption is aboutdata encryption at rest--that is, Amazon S3 encrypts your data as it writes it to disks in its datacenters and decrypts it for you when you access it. As long as you authenticate your request and youhave access permissions, there is no difference in the way you access encrypted or unencryptedobjects. Amazon S3 manages encryption and decryption for you. For example, if you share yourobjects using a pre-signed URL, that URL works the same way for both encrypted and unencryptedobjects. In client-side encryption, you manage encryption/decryption of your data, the encryption keys, andrelated tools. Server-side encryption is an alternative to client-side encryption in which Amazon S3manages the encryption of your data, freeing you from the tasks of managing encryption andencryption keys. Amazon S3 server-side encryption employs strong multi-factor encryption. AmazonS3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with amaster key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongestblock ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html