Amazon S3 Replication now supports objects encrypted with server-side encryption with customer-provided keys (SSE-C). SSE-C is an encryption option that allows you to store your own encryption keys to satisfy compliance or security requirements, rather than having AWS store the keys on your behalf using SSE-S3 or SSE-KMS. Now you can automatically replicate your SSE-C encrypted objects to a secondary bucket for your data protection or multi-region resiliency needs. S3 Replication will automatically replicate newly uploaded SSE-C encrypted objects if they are eligible, as per your S3 Replication configurations. To replicate existing SSE-C objects, you can use S3 Batch Replication. To retrieve a replicated SSE-C encrypted object from S3, you supply the same key used to encrypt that object when it was initially uploaded to S3.
Amazon S3 Replication is an elastic, fully managed, low-cost way to replicate objects between buckets, giving you the control you need to meet your data protection or multi-region resiliency needs. You can configure S3 Replication to automatically replicate S3 objects in the same AWS Region or across different AWS Regions. You have the flexibility to replicate to multiple destination buckets, and to replicate bi-directionally between buckets. If you need a predictable replication time, you can use Replication Time Control (RTC). S3 RTC is designed to replicate 99.99% of objects within 15 minutes after upload, with the majority of those new objects replicated in seconds. S3 RTC is backed by a Service Level Agreement (SLA) with a commitment to replicate 99.9% of objects within 15 minutes during any billing month.
Amazon S3 Replication support for SSE-C encrypted objects is available in all AWS Regions, including the AWS GovCloud (US) Regions and AWS China Regions. To learn more about S3 Replication, please visit the S3 documentation, S3 Replication feature page, or S3 FAQs.