We’ve previously written about how using checklists can avoid configuration errors, which is a useful practice for data protection. Encryption is one of the most fundamental practices in data protection because it renders data unreadable if it is lost, stolen or otherwise accessed inappropriately. Therefore, a major AWS S3 configuration error is not enabling server-side encryption since neglecting it may leave confidential information exposed in clear text. Data encryption protects data-at-rest (data stored on S3) and data-in-transit (data traveling to/from S3). Data-in-transit can be protected by SSL/TLS, while data-at-rest can be protected by server-side encryption or client-side encryption. Client-side encryption requires the customer to manage the encryption process, tools, and keys, which can be rather time-consuming and expensive for IT admins to manage, and frequently too complex. Consequently, most organizations prefer server-side encryption since Amazon manages the processes of encrypting their data before storage and decrypting it when accessed by