Monitoring default encryption with Amazon CloudTrail and Amazon EventBridge - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring default encryption with Amazon CloudTrail and Amazon EventBridge

Important

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in Amazon CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the Amazon Command Line Interface and Amazon SDKs. For more information, see Default encryption FAQ.

You can track default encryption configuration requests for Amazon S3 buckets by using Amazon CloudTrail events. The following API event names are used in CloudTrail logs:

  • PutBucketEncryption

  • GetBucketEncryption

  • DeleteBucketEncryption

You can also create EventBridge rules to match the CloudTrail events for these API calls. For more information about CloudTrail events, see Enable logging for objects in a bucket using the console. For more information about EventBridge events, see Events from Amazon Web Services services.

You can use CloudTrail logs for object-level Amazon S3 actions to track PUT and POST requests to Amazon S3. You can use these actions to verify whether default encryption is being used to encrypt objects when incoming PUT requests don't have encryption headers.

When Amazon S3 encrypts an object by using the default encryption settings, the log includes one of the following fields as the name-value pair: "SSEApplied":"Default_SSE_S3", "SSEApplied":"Default_SSE_KMS", or "SSEApplied":"Default_DSSE_KMS".

When Amazon S3 encrypts an object by using the PUT encryption headers, the log includes one of the following fields as the name-value pair: "SSEApplied":"SSE_S3", "SSEApplied":"SSE_KMS", "SSEApplied":"DSSE_KMS", or "SSEApplied":"SSE_C".

For multipart uploads, this information is included in your InitiateMultipartUpload API operation requests. For more information about using CloudTrail and CloudWatch, see Logging and monitoring in Amazon S3.