This is an 'enterprise-friendly' feature - the appearance of thorough security ("all our data is stored with AES-256 encryption") with only a nominal increase in actual security.
Just think: there will be AWS accounts using this while their master AWS console account continues to have a single-dictionary-word password and no MFA. Truly the Cloud is the silver bullet to save us all from shoddy CIOs!
Agreed, this is more of an item to check off on a list than an actual, meaningful feature. It's the kind of thing that some exec who doesn't understand the details will take comfort in, even though at the end of the day the benefit is minimal.
The only way to do this safely is to do the encryption yourself prior to uploading to S3 and manage the keys yourself.
Yes, this. It's awesome that AWS is providing server-side encryption at no additional cost and with no additional client-side implementation effort, but ultimately your data is still at risk.
When Dropbox's authentication layer failed, their encryption was meaningless. Same thing here: data is still vulnerable to errors, misappropriation, subpoena, etc.
Absolutely. This feature is really bad. I would even argue that, giving people who have no idea about security an additional false sense of it, actually decreases security overall. Now people will more likely give their money for this feature instead of paying a proper security analyst to implement security client side.
As I understand it the encryption adds both latency and more points of failure to S3 (keys stored on separate servers). How is adding both of that negligent?
From a security point of view the encryption adds no value at all: Either I trust Amazon to not look at my data, or I don't trust them. If I don't trust them with my data, surely I also can't trust them with my encryption keys.
How exactly will this protect my data?