Regarding Encryption, S3 now encrypts all new puts where customer doesn't specify an encryption type , with SSE-S3 by default. You can have object level encryption when you do a put object request by changing the encryption type in the x-amz-sse encryption headers. You can also set a bucket level encryption policy to encrypt all new objects with the bucket key ( KMS key used at time of bucket creation for bucket level encryption )