How Do I Enable Default Encryption for an Amazon S3 Bucket? - Amazon Simple Storage Service
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

How Do I Enable Default Encryption for an Amazon S3 Bucket?

Amazon S3 default encryption provides a way to set the default encryption behavior for an Amazon S3 bucket. You can set default encryption on a bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs).

When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centers and decrypts it when you download the objects. For more information about protecting data using server-side encryption and encryption key management, see Protecting Data Using Server-Side Encryption in the Amazon Simple Storage Service Developer Guide.

Default encryption works with all existing and new Amazon S3 buckets. Without default encryption, to encrypt all objects stored in a bucket, you must include encryption information with every object storage request. You must also set up an Amazon S3 bucket policy to reject storage requests that don't include encryption information.

There are no new charges for using default encryption for S3 buckets. Requests to configure the default encryption feature incur standard Amazon S3 request charges. For information about pricing, see Amazon S3 Pricing. For SSE-KMS CMK storage, AWS KMS charges apply and are listed at AWS KMS Pricing.

To enable default encryption on an Amazon S3 bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. In the Bucket name list, choose the name of the bucket that you want.

    
          Screenshot of bucket name list with a bucket name highlighted.
  3. Choose Properties.

    
          Screenshot of page tabs with the Properties tab chosen.
  4. Choose Default encryption.

    
          Screenshot of the default encryption option.
  5. If you want to use keys that are managed by Amazon S3 for default encryption, choose AES-256, and choose Save.

    For more information about using Amazon S3 server-side encryption to encrypt your data, see Protecting Data with Amazon S3-Managed Encryption Keys in the Amazon Simple Storage Service Developer Guide.

    
              Default encryption screen with AES-256 chosen.
    Important

    You might need to update your bucket policy when enabling default encryption. For more information, see Moving to Default Encryption from Using Bucket Policies for Encryption Enforcement in the Amazon Simple Storage Service Developer Guide.

  6. If you want to use CMKs that are stored in AWS KMS for default encryption, follow these steps:

    1. Choose AWS-KMS.

    2. To choose a customer-managed AWS KMS CMK that you have created, use one of these methods:

      • In the list that appears, choose the AWS KMS CMK.

      • In the list that appears, choose Custom KMS ARN, and then enter the Amazon Resource Name of the AWS KMS CMK.

      Important

      When you use an AWS KMS CMK for server-side encryption in Amazon S3, you must choose a symmetric CMK. Amazon S3 only supports symmetric CMKs and not asymmetric CMKs. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.

      
              Default encryption screen with AWS KMS chosen, and a drop-down list with CMK
                names.
    Important

    If you use the AWS KMS option for your default encryption configuration, you are subject to the RPS (requests per second) limits of AWS KMS. For more information about AWS KMS limits and how to request a limit increase, see AWS KMS limits.

    For more information about creating an AWS KMS CMK, see Creating Keys in the AWS Key Management Service Developer Guide. For more information about using AWS KMS with Amazon S3, see Protecting Data with Keys Stored in AWS KMS in the Amazon Simple Storage Service Developer Guide.

  7. Choose Save.

More Info