You mentioned that you used an S3 bucket to write state. Do you know what type of encryption has been used?

S3 offers three main server‑side encryption options: SSE‑S3 (AES‑256), SSE‑KMS (AWS KMS‑managed keys), and SSE‑C (customer‑provided keys). If you stored state in an S3 bucket, the encryption type can be determined by checking the bucket’s default encryption settings in the AWS console or via the GetBucketEncryption API. For example, if the bucket shows "Server-side encryption: AES-256", it uses SSE‑S3. If it shows "AWS KMS key: alias/your-key", it uses SSE‑KMS. SSE‑C requires the client to supply the key for each request, so it is less common for automated state storage. Knowing the encryption type is important for compliance and cost considerations: SSE‑KMS incurs KMS request charges and allows fine‑grained key policies, while SSE‑S3 is simpler and free. In practice, many teams use SSE‑KMS for state files to meet regulatory requirements and enable key rotation.