When I activate default encryption on my Amazon S3 bucket, do I need to update my bucket policy so that objects in the bucket are encrypted?

2 minute read
0

I activated default encryption on my Amazon Simple Storage Service (Amazon S3) bucket. Do I need to change my bucket policy to make sure that objects stored in my bucket are encrypted?

Resolution

No, you don't need to update your bucket policy to make sure that objects stored in my bucket are encrypted. If you activate default encryption, and a user uploads an object without encryption information, then Amazon S3 uses the default encryption method that you specify. If a user specifies encryption information in the PUT request, then Amazon S3 uses the encryption specified in the request.

This behavior applies to encryption with keys that are:

  • Managed by Amazon S3.
  • Labeled as SSE-S3 keys.
  • Managed by AWS Key Management Service (AWS KMS).
  • Labeled as SSE-KMS keys.

For more information on encryption behavior after you activate default encryption, see Setting default server-side encryption behavior for Amazon S3 buckets.

Important: After you activate default encryption using a custom AWS KMS key, you must grant users additional permissions to be able to access objects. Grant those users permissions to use the key on the key policy or on their AWS Identity and Access Management (IAM) policy. For instructions on how to grant these permissions, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket? For cross-account operations, see Using SSE-KMS encryption for cross-account operations.


Related information

Key policies in AWS KMS

AWS KMS concepts

AWS OFFICIAL
AWS OFFICIALUpdated a year ago