What type of encryption is used in an S3 bucket?

Amazon S3 provides several encryption options to protect data at rest:

1. Server‑Side Encryption with Amazon S3‑managed keys (SSE‑S3) – S3 encrypts each object with a unique AES‑256 key that it manages. The key is stored in the S3 service and is automatically handled for you.
2. Server‑Side Encryption with AWS KMS‑managed keys (SSE‑KMS) – Similar to SSE‑S3, but the encryption keys are stored in AWS Key Management Service. You can control key rotation, audit usage, and apply fine‑grained IAM policies.
3. Server‑Side Encryption with customer‑provided keys (SSE‑C) – You supply the encryption key in the request; S3 uses it to encrypt/decrypt the object but does not store it.
4. Client‑Side Encryption – You encrypt data before uploading it to S3. The bucket stores the ciphertext; you manage the keys locally or via KMS.

All these methods ensure that data is encrypted on disk. Additionally, S3 supports bucket policies and IAM permissions to restrict access, and you can enable versioning and MFA‑delete for extra protection. The choice depends on compliance requirements, key control needs, and operational overhead.