ServerSideEncryptionByDefault
Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an Amazon KMS key in your Amazon account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see PUT Bucket encryption in the Amazon S3 API Reference.
Contents
- SSEAlgorithm
-
Server-side encryption algorithm to use for the default encryption.
Type: String
Valid Values:
AES256 | aws:kms | aws:kms:dsseRequired: Yes
- KMSMasterKeyID
-
Amazon Key Management Service (KMS) customer Amazon KMS key ID to use for the default encryption. This parameter is allowed if and only if
SSEAlgorithmis set toaws:kms.You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab -
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -
Key Alias:
alias/alias-name
If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
If you are using encryption with cross-account or Amazon service operations you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.
Important
Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon KMS in the Amazon Key Management Service Developer Guide.
Type: String
Required: No
-
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following: