Client
Vendor
utilacy
Hyperscaler
SSE — Upload
Upload in plaintext to S3
Data reaches S3 in plaintext; S3 performs server-side encryption with S3-managed keys.
plaintext (TLS)ciphertextkeywrapped key What’s different here? AWS controls encryption entirely. Vendor can decrypt.