[dopylitty]

Bucket encryption doesn't protect against anything except someone getting access to the hard drives underlying S3 and somehow recovering data.

If you've somehow left access to a bucket open the odds are that you also have it configured to let anyone with access to the bucket decrypt the files. AWS calls this server side encryption, where S3 automatically encrypts and decrypts files for you. You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application.

[gnerix]

Default bucket encryption would require you to misconfigure two controls instead of one. S3 only automatically decrypts if you are an authorized principal on the KMS key, having S3 permission is not enough.

[hvo]

"You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application."

Well,SSE-KMS is not difficult to manage if you have sensitive customers data like Capital One does. I use it all the time. You can pretty much audit the buckets and see what is going on.

And if Capital One has used SSE-KMS on the buckets,we might not be talking about this data breach today.Incompetence? Complacency?

[parzivalm]

I am well aware how S3 works, I just mean you can use custodian to enforce SSE on the bucket as well as KMS based encryption, so the original commenter is just being a troll was the point I was getting at.