AWS CodePipeline
User Guide (API Version 2015-07-09)

Encryption for Artifacts Stored in Amazon S3 for AWS CodePipeline

When you use the Create Pipeline wizard to create your first pipeline, an Amazon S3 bucket is created for you in the same region you created the pipeline. The bucket is used to store pipeline artifacts. When a pipeline runs, artifacts are put into and retrieved from the Amazon S3 bucket. By default, AWS CodePipeline uses server-side encryption with the AWS KMS-managed keys (SSE-KMS) using the default key for Amazon S3 (the aws/s3 key). This key is created and stored in your AWS account. When artifacts are retrieved from the Amazon S3 bucket, AWS CodePipeline uses the same SSE-KMS process to decrypt the artifact. For more information about server-side encryption and AWS KMS, see Protecting Data Using Server-Side Encryption.

You can choose to use your own customer-managed key instead of the default Amazon S3 key. Some reasons for doing so include:

To view information about a AWS KMS key, do the following:

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the service navigation pane, choose Encryption Keys. (If a welcome page appears, choose Get Started Now.)

  3. In Filter, choose the region for your pipeline. For example, if the pipeline was created in us-east-2, make sure the filter is set to US East (Ohio).

    For more information about the regions and endpoints available for AWS CodePipeline, see Regions and Endpoints.

  4. In the list of encryption keys, choose the key with the alias used for your pipeline (by default, aws/s3). Basic information about the key will be displayed.

If you are using the default Amazon S3 key, you cannot change or delete this AWS-managed key. If you are using a customer-managed key in AWS KMS to encrypt or decrypt artifacts in the Amazon S3 bucket, you can change or rotate this key as necessary.

For more information about AWS KMS, see the AWS Key Management Service Developer Guide.