Which AWS S3 Encryption technique provides rotation policy for encryption keys?

There are several ways of encrypting S3 objects (or putting default encryption on a bucket). Below I only mention server-side encryption (i.e. that performed on the AWS side, not client side):

• SSE-S3 - is free and uses AWS owned CMKs (CMK = Customer Master Key). The encryption key is owned and managed by AWS, and is shared among many accounts. Its rotation is automatic with time that varies as shown in the table here. The time is not explicitly defined.

• SSE-KMS - has two flavors:

  • AWS managed CMK. This is free CMK generated only for your account. You can only view it policies and audit usage, but not manage it. Rotation is automatic - once per 1095 days (3 years),
  • Customer managed CMK. This uses your own key that you create and can manage. Rotation is not enabled by default. But if you enable it, it will be automatically rotated every 1 year. This variant can also use an imported key material by you. If you create such key with an imported material, there is no automated rotation. Only manual rotation.

• SSE-C - customer provided key. The encryption key is fully managed by you outside of AWS. AWS will not rotate it.

which is recommended?

It depends. I would say that generally SSE-S3 is sufficient and it simplifies a lot of operations, e.g. cross-account access to encrypted objects. But due to some external requirements (regulatory issues), other encryption options must be used.

For example, you may be required to rotate encryption key every 6 months. In this case, SSE-S3 nor SSE-KMS with AWS Managed CMK are applicable, and you have to use KMS with Customer Managed key and manually rotate it.