AWS::S3::Bucket ServerSideEncryptionByDefault
Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an Amazon KMS key in your Amazon account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see PUT Bucket encryption in the Amazon S3 API Reference.
Note
If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then Amazon KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "KMSMasterKeyID" :
String
, "SSEAlgorithm" :String
}
YAML
KMSMasterKeyID:
String
SSEAlgorithm:String
Properties
KMSMasterKeyID
-
Amazon Key Management Service (KMS) customer Amazon KMS key ID to use for the default encryption. This parameter is allowed if and only if
SSEAlgorithm
is set toaws:kms
oraws:kms:dsse
.You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
-
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
-
Key Alias:
alias/alias-name
If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
If you are using encryption with cross-account or Amazon service operations you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.
Important
Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon KMS in the Amazon Key Management Service Developer Guide.
Required: No
Type: String
Update requires: No interruption
-
SSEAlgorithm
-
Server-side encryption algorithm to use for the default encryption.
Required: Yes
Type: String
Allowed values:
aws:kms | AES256 | aws:kms:dsse
Update requires: No interruption
Examples
Create a bucket with default encryption
The following example creates a bucket with server-side bucket encryption configured.
This example uses encryption with Amazon KMS keys (SSE-KMS). You can use dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS) by specifying aws:kms:dsse
for SSEAlgorithm
. You can also use
server-side encryption with S3-managed keys (SSE-S3) by modifying the Amazon S3 Bucket ServerSideEncryptionByDefault property to specify
AES256
for SSEAlgorithm
. For more information, see Using SSE-S3 in the Amazon S3 User Guide.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN DeletionPolicy: Delete