[fortituded0002]

I don't think you are off the mark.

(from https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingE...) > Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.

Yes it looks like it's at rest. It automatically decrypts if you go through S3 APIs to access the objects. The big leaks were due to S3 buckets being public which I believe means that this new encryption on by default won't actually help.

The only thing Encryption at rest gives you is comfort in knowing if Amazon servers get compromised - not if your servers that have permissions to pull the data get compromised.

With that said, it is a good step in the right direction. And additional security added helps address at least some use cases.