PutBucketEncryption
This action uses the encryption subresource to configure default encryption
and Amazon S3 Bucket Keys for an existing bucket.
By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption for a bucket by using server-side encryption with an Amazon KMS key (SSE-KMS) or a customer-provided key (SSE-C). If you specify default encryption by using SSE-KMS, you can also configure Amazon S3 Bucket Keys. For information about bucket default encryption, see Amazon S3 bucket default encryption in the Amazon S3 User Guide. For more information about S3 Bucket Keys, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.
Important
This action requires Amazon Signature Version 4. For more information, see Authenticating Requests (Amazon Signature Version 4).
To use this operation, you must have permissions to perform the
s3:PutEncryptionConfiguration action. The bucket owner has this permission
by default. The bucket owner can grant this permission to others. For more information
about permissions, see Permissions Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources in the
Amazon S3 User Guide.
The following operations are related to PutBucketEncryption:
Request Syntax
PUT /?encryption HTTP/1.1
Host: Bucket.s3.amazonaws.com
Content-MD5: ContentMD5
x-amz-sdk-checksum-algorithm: ChecksumAlgorithm
x-amz-expected-bucket-owner: ExpectedBucketOwner
<?xml version="1.0" encoding="UTF-8"?>
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Rule>
<ApplyServerSideEncryptionByDefault>
<KMSMasterKeyID>string</KMSMasterKeyID>
<SSEAlgorithm>string</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
<BucketKeyEnabled>boolean</BucketKeyEnabled>
</Rule>
...
</ServerSideEncryptionConfiguration>URI Request Parameters
The request uses the following URI parameters.
- Bucket
-
Specifies default encryption for a bucket using server-side encryption with different key options. By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption for a bucket by using server-side encryption with an Amazon KMS key (SSE-KMS) or a customer-provided key (SSE-C). For information about the bucket default encryption feature, see Amazon S3 Bucket Default Encryption in the Amazon S3 User Guide.
Required: Yes
- Content-MD5
-
The base64-encoded 128-bit MD5 digest of the server-side encryption configuration.
For requests made using the Amazon Command Line Interface (CLI) or Amazon SDKs, this field is calculated automatically.
- x-amz-expected-bucket-owner
-
The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code
403 Forbidden(access denied). - x-amz-sdk-checksum-algorithm
-
Indicates the algorithm used to create the checksum for the object when using the SDK. This header will not provide any additional functionality if not using the SDK. When sending this header, there must be a corresponding
x-amz-checksumorx-amz-trailerheader sent. Otherwise, Amazon S3 fails the request with the HTTP status code400 Bad Request. For more information, see Checking object integrity in the Amazon S3 User Guide.If you provide an individual checksum, Amazon S3 ignores any provided
ChecksumAlgorithmparameter.Valid Values:
CRC32 | CRC32C | SHA1 | SHA256
Request Body
The request accepts the following data in XML format.
- ServerSideEncryptionConfiguration
-
Root level tag for the ServerSideEncryptionConfiguration parameters.
Required: Yes
- Rule
-
Container for information about a particular server-side encryption configuration rule.
Type: Array of ServerSideEncryptionRule data types
Required: Yes
Response Syntax
HTTP/1.1 200
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Examples
In the request, you specify the encryption configuration in the request body. The encryption configuration is specified as XML, as shown in the following examples that show setting encryption using SSE-S3 or SSE-KMS.
Request Body for Setting SSE-S3
This example illustrates one usage of PutBucketEncryption.
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>
Request Body for Setting SSE-KMS
This example illustrates one usage of PutBucketEncryption.
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>
Set the Default Encryption Configuration for an S3 Bucket
The following is an example of a PUT /? encryption request that specifies to use Amazon KMS encryption.
PUT /?encryption HTTP/1.1 Host: examplebucket.<Region>s3.amazonaws.com Date: Wed, 06 Sep 2017 12:00:00 GMT Authorization: authorization Content-Length: length <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>aws:kms</SSEAlgorithm> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following: