Customers can now apply two independent layers of server-side encryption to objects in Amazon S3. Dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS) is designed to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption. Amazon S3 is the only cloud object storage service where customers can apply two layers of encryption at the object level and control the data keys used for both layers. S3 features such as DSSE-KMS are vetted and accepted for use on top-secret workloads, which benefits all customers globally.
Source:: Amazon AWS