Using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).

There are no additional fees for using server-side encryption with Amazon S3-managed keys (SSE-S3). However, requests to configure the default encryption feature incur standard Amazon S3 request charges. For information about pricing, see Amazon S3 pricing.

If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy. For example, the following bucket policy denies permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption:

{ "Version": "2012-10-17", "Id": "PutObjectPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws-cn:s3:::awsexamplebucket1/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } } ] }
  • Server-side encryption encrypts only the object data, not object metadata.

API Support for Server-Side Encryption

To request server-side encryption using the object creation REST APIs, provide the x-amz-server-side-encryption request header. For information about the REST APIs, see Using the REST API.

The following Amazon S3 APIs support this header:

  • PUT operations—Specify the request header when uploading data using the PUT API. For more information, see PUT Object.

  • Initiate Multipart Upload—Specify the header in the initiate request when uploading large objects using the multipart upload API. For more information, see Initiate Multipart Upload.

  • COPY operations—When you copy an object, you have both a source object and a target object. For more information, see PUT Object - Copy.


When using a POST operation to upload an object, instead of providing the request header, you provide the same information in the form fields. For more information, see POST Object.

The Amazon SDKs also provide wrapper APIs that you can use to request server-side encryption. You can also use the Amazon Web Services Management Console to upload objects and request server-side encryption.