AWS-EnableS3BucketKeys - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWS-EnableS3BucketKeys runbook enables Bucket Keys on the Amazon Simple Storage Service (Amazon S3) bucket you specify. This bucket level key creates data keys for new objects during its lifecycle. If you don't specify a value for the KmsKeyId parameter, server-side encryption using Amazon S3 managed keys (SSE-S3) are used for the default encryption configuration.


Amazon S3 Bucket Keys aren't supported for dual-layer server-side encryption with Amazon Key Management Service (Amazon KMS) keys (DSSE-KMS).

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

  • BucketName

    Type: String

    Description: (Required) The name of the S3 bucket you want to enable Bucket Keys for.

  • KMSKeyId

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN), key ID, or the key alias of the Amazon Key Management Service (Amazon KMS) customer managed key you want to use for server-side encryption.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • s3:GetEncryptionConfiguration

  • s3:PutEncryptionConfiguration

Document Steps

  • ChooseEncryptionType (aws:branch) - Evaluates the value provided for the KmsKeyId parameter to determine if SSE-S3 (AES256) or SSE-KMS will be used.

  • PutBucketKeysKMS (aws:executeAwsApi) - Sets the BucketKeyEnabled property to true for the specified S3 bucket using the specified KmsKeyId.

  • PutBucketKeysAES256 (aws:executeAwsApi) - Sets the BucketKeyEnabled property to true for the specified S3 bucket with AES256 encryption.

  • VerifyS3BucketKeysEnabled (aws:assertAwsResourceProperty) - Verifies that the Bucket Keys are enabled on the target S3 bucket.