Setting default server-side encryption behavior for Amazon S3 buckets - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Setting default server-side encryption behavior for Amazon S3 buckets

With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3 managed keys (SSE-S3) or Amazon KMS keys stored in Amazon Key Management Service (Amazon KMS) (SSE-KMS).

When you configure your bucket to use default encryption with SSE-KMS, you can also enable S3 Bucket Keys to decrease request traffic from Amazon S3 to Amazon Key Management Service (Amazon KMS) and reduce the cost of encryption. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys.

To identify buckets that have SSE-KMS enabled for default encryption, you can use Amazon S3 Storage Lens metrics. S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. For more information, see Using S3 Storage Lens to protect your data.

When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk and decrypts it when you download the objects. For more information about protecting data using server-side encryption and encryption key management, see Protecting data using server-side encryption.

For more information about permissions required for default encryption, see PutBucketEncryption in the Amazon Simple Storage Service API Reference.

To set up default encryption on a bucket, you can use the Amazon S3 console, Amazon CLI, Amazon SDKs, or the REST API. For more information, see Enabling Amazon S3 default bucket encryption.

Encrypting existing objects

To encrypt your existing Amazon S3 objects, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects to operate on, and Batch Operations calls the respective API to perform the specified operation. You can use the Batch Operations Copy operation to copy existing unencrypted objects and write them back to the same bucket as encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, see Performing large-scale batch operations on Amazon S3 objects and the Amazon Storage Blog post Encrypting objects with Amazon S3 Batch Operations.

You can also encrypt existing objects using the Copy Object API. For more information, see the Amazon Storage Blog post Encrypting existing Amazon S3 objects with the Amazon CLI.

Note

Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Logging requests using server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.

Using SSE-KMS encryption for cross-account operations

Be aware of the following when using SSE-KMS encryption for cross-account operations:

  • The Amazon managed key (aws/s3) is used when an Amazon KMS key Amazon Resource Name (ARN) or alias is not provided at request time, nor via the bucket's default encryption configuration.

  • If you're uploading or accessing S3 objects using Amazon Identity and Access Management (IAM) principals that are in the same Amazon Web Services account as your KMS key, you can use the Amazon managed key (aws/s3).

  • Use a customer managed key if you want to grant cross-account access to your SSE-KMS encrypted S3 objects. You can configure the policy of a customer managed key to allow access from another account.

  • If specifying your own KMS key, you should use a fully qualified KMS key ARN. When using a KMS key alias, be aware that Amazon KMS will resolve the key within the requester's account. This can result in data encrypted with a KMS key that belongs to the requester, and not the bucket administrator.

  • You must specify a key that you (the requester) have been granted Encrypt permission to. For more information, see Allows key users to use a KMS key for cryptographic operations in the Amazon Key Management Service Developer Guide.

For more information about when to use customer managed keys and the Amazon managed KMS keys, see Should I use an Amazon managed key or a customer managed KMS key to encrypt my objects on Amazon S3?

Using default encryption with replication

When you enable default encryption for a replication destination bucket, the following encryption behavior applies:

  • If objects in the source bucket are not encrypted, the replica objects in the destination bucket are encrypted using the default encryption settings of the destination bucket. This results in the ETag of the source object being different from the ETag of the replica object. You must update applications that use the ETag to accommodate for this difference.

  • If objects in the source bucket are encrypted using SSE-S3 or SSE-KMS, the replica objects in the destination bucket use the same encryption as the source object encryption. The default encryption settings of the destination bucket are not used.

For more information about using default encryption with SSE-KMS, see Replicating encrypted objects (SSE-C, SSE-S3, SSE-KMS).

Using Amazon S3 Bucket Keys with default encryption

When you configure your bucket to use default encryption for SSE-KMS on new objects, you can also configure S3 Bucket Keys. S3 Bucket Keys decrease the number of transactions from Amazon S3 to Amazon KMS to reduce the cost of server-side encryption using Amazon Key Management Service (SSE-KMS).

When you configure your bucket to use S3 Bucket Keys for SSE-KMS on new objects, Amazon KMS generates a bucket-level key that is used to create a unique data key for objects in the bucket. This bucket key is used for a time-limited period within Amazon S3, reducing the need for Amazon S3 to make requests to Amazon KMS to complete encryption operations.

For more information about using an S3 Bucket Key, see Using Amazon S3 Bucket Keys.