Blocking or unblocking SSE-C for a general purpose bucket
Most modern use cases in Amazon S3 no longer use server-side encryption with customer-provided keys (SSE-C) because it lacks the flexibility of server-side encryption with Amazon S3 managed keys (SSE-S3) or server-side encryption with Amazon KMS keys (SSE-KMS). SSE-C's requirement to provide the encryption key each time you interact with your SSE-C encrypted data makes it impractical to share your SSE-C key with other users, roles, or Amazon services who read data from your S3 buckets in order to operate on your data.
To limit the server-side encryption types you can use in your general purpose buckets, you can choose to block SSE-C write requests by updating your default encryption configuration for your buckets. This bucket-level configuration blocks requests to upload objects that specify SSE-C. When SSE-C is blocked for a bucket, any PutObject, CopyObject, PostObject, or Multipart Upload or replication requests that specify SSE-C encryption will be rejected with an HTTP 403 AccessDenied error.
This setting is a parameter on the PutBucketEncryption API and can also be updated using the S3 Console, Amazon CLI, and Amazon SDKs, if you have the s3:PutEncryptionConfiguration permission.
Valid values are SSE-C, which blocks SSE-C encryption for the general purpose bucket, and NONE, which allows the use SSE-C for writes to the bucket.
Important
Starting in April 2026, Amazon will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in Amazon Web Services accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the PutBucketEncryption API after creating the bucket. In these cases, you might need to update automation scripts, Amazon CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the Amazon Storage Blog post
Permissions
Use the PutBucketEncryption API or the S3 Console, Amazon SDKs, or Amazon CLI to block or unblock encryption types for a general purpose bucket. You must have the following permission:
s3:PutEncryptionConfiguration
Use the GetBucketEncryption API or the S3 Console, Amazon SDKs, or Amazon CLI to view blocked encryption types for a general purpose bucket. You must have the following permission:
s3:GetEncryptionConfiguration
Considerations before blocking SSE-C encryption
After you block SSE-C for any bucket, the following encryption behavior applies:
There is no change to the encryption of the objects that existed in the bucket before you blocked SSE-C encryption.
After you block SSE-C encryption, you can continue to make GetObject and HeadObject requests on pre-existing objects encrypted with SSE-C as long as you provide the required SSE-C headers on the requests.
When SSE-C is blocked for a bucket, any
PutObject,CopyObject,PostObject, or Multipart Upload requests that specify SSE-C encryption will be rejected with an HTTP 403AccessDeniederror.If a destination bucket for replication has SSE-C blocked and the source objects being replicated are encrypted with SSE-C, the replication will fail with an HTTP 403
AccessDeniederror.
If you want to review if you're using SSE-C encryption in
any of your buckets before blocking this encryption type, you can use tools such as Amazon CloudTrail
Steps
You can block or unblock server-side encryption with customer-provided keys (SSE-C) for a general purpose bucket by using the Amazon S3 console, the Amazon Command Line Interface (Amazon CLI), the Amazon S3 REST API, and Amazon SDKs.
To block or unblock SSE-C encryption for a bucket using the Amazon S3 console:
Sign in to the Amazon Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the left navigation pane, choose general purpose buckets.
Select the bucket that you would like to block SSE-C encryption for.
Select the Properties tab for the bucket.
Navigate to the Default Encryption properties panel for the bucket and select Edit.
In the Blocked encryption types section, check the box next to Server-side encryption with customer-provided keys (SSE-C) to block SSE-C encryption or uncheck this box to allow SSE-C.
Select Save Changes.
To install the Amazon CLI, see Installing the Amazon CLI in the Amazon Command Line Interface User Guide.
The following CLI example shows you how to block or unblock SSE-C encryption for a general purpose bucket by using the Amazon CLI. To use the command replace the user input placeholders with your own information.
Request to block SSE-C encryption for a general purpose bucket:
aws s3api put-bucket-encryption \ --bucket amzn-s3-demo-bucket \ --server-side-encryption-configuration '{ "Rules": [{ "BlockEncryptionTypes": { "EncryptionType": "SSE-C" } }] }'
Request to enable the use of SSE-C encryption on a general purpose bucket:
aws s3api put-bucket-encryption \ --bucket amzn-s3-demo-bucket \ --server-side-encryption-configuration '{ "Rules": [{ "BlockEncryptionTypes": { "EncryptionType": "NONE" } }] }'
For information about the Amazon S3 REST API support for bloacking or unblocking SSE-C encryption for a general purpose bucket, see the following section in the Amazon Simple Storage Service API Reference:
BlockedEncryptionTypes data type used in the ServerSideEncryptionRule data type of the PutBucketEncryption and GetBucketEncryption API operations.