What it is: Encrypting S3 objects at rest.

What it’s for:

• Protect data if storage media is compromised.
• Meet compliance/security requirements.

Common server-side encryption options:

• SSE-S3: AWS-managed keys handled by S3.
• SSE-KMS: uses KMS keys (more control, auditing).
• (Also exists: SSE-C client-provided keys, less common in exams.)

When to choose which:

• “simplest encryption” → SSE-S3.
• “need audit + control + key policies” → SSE-KMS.

Exam cues:

• “control who can decrypt” → SSE-KMS + key policy.
• “enable encryption by default on bucket” → bucket default encryption.

Hard words:

• *at rest* /æt rest/: dữ liệu “nằm yên” trên đĩa (không truyền)
• *media* /ˈmiːdiə/: vật lưu trữ
• *compromised* /ˈkɑːmprəmaɪzd/: bị lộ/bị chiếm