Amazon will now encrypt data in S3 buckets on AWS by default

Amazon will now encrypt all data in S3 buckets with AES-256 by default. That server-side encryption had been available for S3 for some time, but was never on by default. Administrators can still decide for themselves whether they want to use alternative encryption.

Amazon.com writes that it will immediately enable default encryption for all users. In practice, that means that any new objects uploaded to a Simple Storage Service or S3 bucket on Amazon Web Services are automatically encrypted on the server side. This is done with AES-256.

By default, AWS’s own encryption scheme is used, which Amazon simply calls SSE-S3. In addition, it is also possible to use your own encryption keys, which are called SSE-C or Customer, or to use AWS Key Management Service keys, abbreviated SSE-KMS. Bucket administrators can also encrypt objects on the client through software such as the S3 Encryption Client.

Server-side encryption for S3, also known as SSE-S3, has been optional in AWS buckets since 2011. It wasn’t a hidden feature either; admins could easily enable it from the settings. But this is the first time that encryption has become the standard.

Amazon says that while it was easy to enable, with new buckets, administrators always had to check that their new buckets were configured correctly and continually verify that they were. Amazon says the feature is especially interesting for companies that find it important that their AWS data remains encrypted at rest by default so that they can continue to comply with requirements.

Update: a wrong assumption about the security of such found data has been removed because this encryption method has nothing to do with it.