Menu
Amazon Simple Storage Service
API Reference (API Version 2006-03-01)

PUT Bucket encryption

Description

This implementation of the PUT operation uses the encryption subresource to set the default encryption state of an existing bucket.

This implementation of the PUT operation sets default encryption for a buckets using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket. For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption in the Amazon Simple Storage Service Developer Guide.

Important

This operation requires AWS Signature Version 4. For more information, see Authenticating Requests (AWS Signature Version 4).

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon Simple Storage Service Developer Guide.

Requests

Syntax

PUT /?encryption HTTP/1.1 Host: bucketname.s3.amazonaws.com Content-Length: length Date: date Authorization: authorization string (see Authenticating Requests (AWS Signature Version 4)) default encryption configuration in the request body

Request Parameters

This implementation of the operation does not use request parameters.

Request Headers

This implementation of the operation uses only request headers that are common to all operations. For more information, see Common Request Headers.

Request Body

In the request, you specify the encryption configuration in the request body. The encryption configuration is specified as XML, as shown in the following examples that show setting encryption using SSE-S3 or SSE-KMS.

The following is an example of the request body for setting SSE-S3.

<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>

The following is an example of the request body for setting SSE-KMS.

<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>aws:kms</SSEAlgorithm> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>

The following table describes the XML elements in the encryption configuration:

Name Description Required
ApplyServerSideEncryptionByDefault

Container for setting server-side encryption by default.

Type: Container

Children: SSEAlgorithm, KMSMasterKeyID

Ancestor: Rule

No
KMSMasterKeyID

The AWS KMS master key ID used for the SSE-KMS encryption.

Type: String

Ancestor: ApplyServerSideEncryptionByDefault

Constraint: Can only be used when you set the value of SSEAlgorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the SSEAlgorithm is aws:kms.

No
Rule

Container for server-side encryption by default configuration.

Type: Container

Children: ApplyServerSideEncryptionByDefault

Ancestor: ServerSideEncryptionConfiguration

Yes
ServerSideEncryptionConfiguration

Container for the server-side encryption by default configuration rule.

Type: Container

Children: Rule

Ancestor: None

Yes
SSEAlgorithm

The server-side encryption algorithm to use.

Type: String

Valid Values: AES256, aws:kms

Ancestor: ApplyServerSideEncryptionByDefault

Constraint: Can only be used when you use ApplyServerSideEncryptionByDefault.

Yes

Responses

Response Headers

This implementation of the operation uses only response headers that are common to most responses. For more information, see Common Response Headers.

Response Elements

This implementation of the operation does not return response elements.

Special Errors

This implementation of the operation does not return special errors. For general information about Amazon S3 errors and a list of error codes, see Error Responses.

Examples

Example 1: Set the Default Encryption Configuration for an S3 Bucket

The following is an example of a PUT /?encryption request that specifies to use AWS KMS encryption.

PUT /?encryption HTTP/1.1 Host: examplebucket.s3.amazonaws.com Date: Wed, 06 Sep 2017 12:00:00 GMT Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>aws:kms</SSEAlgorithm> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>

The following is an example response:

HTTP/1.1 100 Continue HTTP/1.1 200 OK x-amz-id-2: B3Z1w/R0GaUCDHStDVuoz+4NSndjUDYuE3jvJ5kvrDroucdFCygEQYEwpC0Lj0Cv x-amz-request-id: E0DE682C2FDDBCF8 Date: Wed, 06 Sep 2017 12:00:00 GMT Content-Length: 0 Server: AmazonS3