Well, its not just the data stored in Amazon S3 needs to be safe but during the onward & return journey as well.
That broadly classifies the data protection into categories as protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers).
· Server-Side Encryption – User requests Amazon S3 to encrypt the object before saving it on disks in its data centers and decrypt it when object are downloaded. Has 3 different types as listed in the image based on who manages the keys.
· Client-Side Encryption – The data is encrypted on the client-side and the encrypted data is uploaded to Amazon S3. In this case, user manage the encryption process, the encryption keys, and related tools.