SES
Configuration for a SES rule allows one to have the email be put into a S3 bucket. Under this configuration, the option "KMS Key" is available, which would have SES encrypt the email before sending/putting it into the bucket. Specifically, using client-side encryption (CSE) not server side encryption (SSE)
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-action-s3.html
S3
One can also configure a S3 bucket's properties to encrypt objects when they're uploaded. (SSE)
Context
- the bucket is only accessed by code (our system and/or AWS Lambda), ie there won't be the requirement to separate different users/roles/etc
Question
Why would one use
- SES S3 action with CSE encryption enabled + S3 SSE encryption disabled instead of
- SES S3 action with CSE encryption DISABLED + S3 SSE encryption ENABLED
(I'm not so much concerned with both SES encryption + S3 encryption)
- Has this got to do with the transit of the email content between SES and S3 ? In what way could this be a risk, is this transfer not internal to AWS ?
Side Note
- Created a bucket and enabled encryption.
- Add a SESPut bucket policy to allow SES. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html
- Configure SES S3 Rule to put email into said bucket, but during save I get error: "Could not write to bucket"
- Change bucket, remove encryption
- SES rule save now succeeds.
This could just be that another policy is needed somewhere, or is there something I'm missing about AWS encryption which explains why the above steps failed and why SES has client-side encryption as an option?
(I've asked this in a separate question: AWS SES - S3 Rule to write to bucket with bucket encryption fails)