ECS provides server-side encryption to protect data on disk. Key management is either done automatically or specified by user. Enabling encryption is done at the namespace level or bucket level, allowing customers to have level of control at what level to handle encryption. If in the namespace level, all buckets within namespace are encrypted unless at bucket creation time it is specifically disabled. If not enabled at namespace level, buckets can enable encryption individually at create time.
D@RE best practices