====== S3 Encryption (SSE-S3 / SSE-KMS) ======

**What it is:** Encrypting S3 objects at rest.

**What it’s for:**
  * Protect data if storage media is compromised.
  * Meet compliance/security requirements.

**Common server-side encryption options:**
  * **SSE-S3**: AWS-managed keys handled by S3.
  * **SSE-KMS**: uses [[aws:security:kms|KMS]] keys (more control, auditing).
  * (Also exists: SSE-C client-provided keys, less common in exams.)

**When to choose which:**
  * “simplest encryption” → SSE-S3.
  * “need audit + control + key policies” → SSE-KMS.

**Exam cues:**
  * “control who can decrypt” → SSE-KMS + key policy.
  * “enable encryption by default on bucket” → bucket default encryption.

**Hard words:**
  * *at rest* /æt rest/: dữ liệu “nằm yên” trên đĩa (không truyền)
  * *media* /ˈmiːdiə/: vật lưu trữ
  * *compromised* /ˈkɑːmprəmaɪzd/: bị lộ/bị chiếm