Using server-side encryption with Amazon S3 managed keys (SSE-S3)
Important
Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in Amazon CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the Amazon Command Line Interface and Amazon SDKs. For more information, see Default encryption FAQ.
All new object uploads to Amazon S3 buckets are encrypted by default with server-side encryption with Amazon S3 managed keys (SSE-S3).
Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects.
There are no additional fees for using server-side encryption with Amazon S3 managed keys
(SSE-S3). However, requests to configure the default encryption feature incur standard Amazon S3
request charges. For information about pricing, see Amazon S3 pricing
If you require your data uploads to be encrypted using only Amazon S3 managed keys, you can use
the following bucket policy. For example, the following bucket policy denies permissions to
upload an object unless the request includes the x-amz-server-side-encryption
header to request server-side encryption:
{ "Version": "2012-10-17", "Id": "PutObjectPolicy", "Statement": [ { "Sid": "DenyObjectsThatAreNotSSES3", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws-cn:s3:::
amzn-s3-demo-bucket
/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } } ] }
Note
Server-side encryption encrypts only the object data, not the object metadata.
API support for server-side encryption
All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded
to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption
configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption
to use in your S3 PUT
requests, or you can set the default encryption configuration in the destination bucket.
If you want to specify a different encryption type in your PUT
requests, you can use server-side encryption with
Amazon Key Management Service (Amazon KMS) keys (SSE-KMS), dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS), or server-side encryption with
customer-provided keys (SSE-C). If you want to set a different default encryption configuration in the destination bucket, you can use
SSE-KMS or DSSE-KMS.
To configure server-side encryption by using the object creation REST APIs, you must
provide the x-amz-server-side-encryption
request header. For information
about the REST APIs, see Using the REST API.
The following Amazon S3 APIs support this header:
-
PUT operations – Specify the request header when uploading data using the
PUT
API. For more information, see PUT Object. -
Initiate Multipart Upload – Specify the header in the initiate request when uploading large objects using the multipart upload API operation. For more information, see Initiate Multipart Upload.
-
COPY operations – When you copy an object, you have both a source object and a target object. For more information, see PUT Object - Copy.
Note
When using a POST
operation to upload an object, instead of providing
the request header, you provide the same information in the form fields. For more
information, see POST Object.
The Amazon SDKs also provide wrapper APIs that you can use to request server-side encryption. You can also use the Amazon Web Services Management Console to upload objects and request server-side encryption.
For more general information, see Amazon KMS
concepts