Data protection and encryption - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data protection and encryption

For more information about how S3 Express One Zone encrypts and protects your data, see the following topics.

Server-side encryption with Amazon S3 managed keys (SSE-S3)

By default, all objects stored in directory buckets are automatically encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3). Unencrypted uploads to directory buckets aren't permitted. For more information, see Using server-side encryption with Amazon S3 managed keys (SSE-S3) and Protecting data with encryption.

Directory buckets don't support server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS), dual-layer server-side encryption with Amazon Key Management Service (Amazon KMS) keys (DSSE-KMS), or server-side encryption with customer-provided encryption keys (SSE-C).

Encryption in transit

S3 Express One Zone can only be accessed through HTTPS (TLS).

S3 Express One Zone uses Regional and Zonal API endpoints. Depending on the Amazon S3 API operation that you use, either a Regional or Zonal endpoint is required. You can access Zonal and Regional endpoints through a gateway virtual private cloud (VPC) endpoint. There is no additional charge for using gateway endpoints. To learn more about Regional and Zonal API endpoints, see Networking for S3 Express One Zone.

Additional checksums

S3 Express One Zone offers you the option to choose the checksum algorithm that is used to validate your data during upload or download. You can select one of the following Secure Hash Algorithms (SHA) or Cyclic Redundancy Check (CRC) data-integrity check algorithms: CRC32, CRC32C, SHA-1, and SHA-256. MD5-based checksums are not supported with the S3 Express One Zone storage class.

For more information, see S3 additional checksum best practices.

Data deletion

You can delete one or more objects directly from S3 Express One Zone by using the Amazon S3 console, Amazon SDKs, Amazon Command Line Interface (Amazon CLI), or Amazon S3 REST API. Because all objects in your directory buckets incur storage costs, we recommend deleting objects that you no longer need.

Deleting an object that's stored in a directory bucket also recursively deletes any parent directories, if those parent directories don't contain any objects other than the object that's being deleted.


Multi-factor authentication (MFA) delete and S3 Versioning are not supported for S3 Express One Zone.