AWS::S3::Bucket ServerSideEncryptionRule

Specifies the default server-side encryption configuration.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "ServerSideEncryptionByDefault" : ServerSideEncryptionByDefault
}

YAML


  ServerSideEncryptionByDefault: 
    ServerSideEncryptionByDefault

Properties

ServerSideEncryptionByDefault

Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.

Required: No

Type: ServerSideEncryptionByDefault

Update requires: No interruption

Examples

Create a bucket with default encryption

The following example creates a bucket with server-side bucket encryption configured. This example uses KMS-managed keys. You can use S3-managed keys instead by modifying the Amazon S3 Bucket ServerSideEncryptionByDefault property.

JSON


{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
    "EncryptedS3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
        },
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "KMS-KEY-ARN"
              }
            }
          ]
        }
      },
      "DeletionPolicy": "Delete"
    }
  }
}

YAML


AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ServerSideEncryptionByDefault

SourceSelectionCriteria