2.2.3 Client-side vs Server-side Encryption
Client-side vs Server-side Encryption
So sánh
| Server-side (SSE) | Client-side |
|---|
| Encrypt by | AWS service (S3, EBS, RDS) | Application trước khi gửi |
| Decrypt by | AWS service | Application sau khi nhận |
| Data in transit to AWS | Plaintext (protected by TLS) | Already encrypted |
| Key management | AWS/KMS/Customer | Application |
| Complexity | Low | High |
| Use case | Most workloads | Strict compliance, zero-trust |
Server-side Encryption (S3)
Client → (TLS) → S3 → Encrypt with key → Store encrypted
Client ← (TLS) ← S3 ← Decrypt with key ← Read encrypted
| Type | Key | Audit |
|---|
| SSE-S3 | AWS manages | ❌ |
| SSE-KMS | KMS key | ✅ CloudTrail |
| SSE-C | Customer provides per request | ❌ |
Client-side Encryption
Client → Encrypt locally → (TLS) → S3 → Store (already encrypted)
Client ← Decrypt locally ← (TLS) ← S3 ← Read (still encrypted)
# Client-side encryption with AWS Encryption SDK
import aws_encryption_sdk
client = aws_encryption_sdk.EncryptionSDKClient()
kms_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(
key_ids=['arn:aws:kms:us-east-1:123456789012:key/key-id']
)
# Encrypt
ciphertext, header = client.encrypt(
source=plaintext_data,
key_provider=kms_provider
)
# Upload encrypted data to S3
s3.put_object(Bucket='bucket', Key='file', Body=ciphertext)
Khi nào dùng Client-side?
| Scenario | Recommendation |
|---|
| Standard compliance | SSE-KMS (server-side) |
| Strict zero-trust | Client-side |
| End-to-end encryption | Client-side |
| Multi-cloud | Client-side (portable) |
| Simple setup | SSE-S3 (server-side) |
Exam Tip: Server-side = simple, AWS manages. Client-side = application manages, data encrypted before reaching AWS. SSE-KMS = best balance (audit + managed keys). SSE-C = customer provides key mỗi request (HTTPS bắt buộc).