X-Amz-Server-Side-Encryption

The HTTP X-Amz-Server-Side-Encryption request and response header is an unofficial, AWS-specific header identifying the server-side encryption algorithm applied to an object stored in Amazon S3.

Table of Contents

Usage

Amazon S3 encrypts objects at rest using server-side encryption. When an object is uploaded or retrieved, the X-Amz-Server-Side-Encryption header indicates which encryption method protects the stored data. The header appears in both PUT responses (confirming encryption was applied) and GET responses (confirming the encryption type of the retrieved object).

Three encryption modes exist. SSE-S3 uses AES-256 keys managed entirely by Amazon S3. SSE-KMS uses keys managed through AWS Key Management Service, offering audit trails via AWS CloudTrail and granular key access policies. DSSE-KMS applies dual-layer encryption using KMS keys for workloads requiring two independent encryption layers.

Services built on S3 storage expose this header in HTTP responses. Amazon CloudFront distributions with S3 origins, Amazon Prime Video, Reddit, Snapchat, and other platforms hosted on AWS infrastructure all include the header when serving S3-backed objects.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Values

AES256

The AES256 value indicates SSE-S3 encryption. Amazon S3 manages the encryption keys internally, using AES-256 to encrypt each object. This is the default encryption mode for S3 buckets.

aws:kms

The aws:kms value indicates SSE-KMS encryption. AWS Key Management Service manages the encryption key. This mode enables key rotation policies, access control through KMS key policies, and request logging in AWS CloudTrail.

aws:kms:dsse

The aws:kms:dsse value indicates dual-layer server-side encryption with KMS keys (DSSE-KMS). Two independent layers of AES-256 encryption are applied to the object, meeting compliance requirements for CNSSP 15 and other standards mandating dual-layer protection.

Example

Most S3-backed responses include AES256, the default encryption mode. This indicates the object is encrypted at rest using S3-managed keys.

X-Amz-Server-Side-Encryption: AES256

When a bucket or object is configured to use AWS Key Management Service for encryption, the header returns aws:kms. A companion header X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id identifies the specific KMS key used.

X-Amz-Server-Side-Encryption: aws:kms

A typical S3 response includes this header alongside other AWS-specific HTTP headers. The combination shows the object's encryption status, content type, and Caching metadata together.

Content-Type: image/jpeg
Cache-Control: max-age=31536000
X-Amz-Server-Side-Encryption: AES256
X-Amz-Cf-Id: rEZ41zHijmTaPJrLdiavv7oU8giHtH8HQXvabc2QPAly_Btvu5C2Dw==

Takeaway

The X-Amz-Server-Side-Encryption header identifies the encryption algorithm protecting an S3 object at rest, confirming whether AES-256 (SSE-S3), KMS-managed keys (SSE-KMS), or dual-layer KMS encryption (DSSE-KMS) is in effect.

See also

Last updated: March 6, 2026