AWS::S3::Bucket ServerSideEncryptionRule
Specifies the default server-side encryption configuration.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "BucketKeyEnabled" :Boolean, "ServerSideEncryptionByDefault" :ServerSideEncryptionByDefault}
Properties
BucketKeyEnabled-
Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the
BucketKeyEnabledelement totruecauses Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled.For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.
Required: No
Type: Boolean
Update requires: No interruption
ServerSideEncryptionByDefault-
Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.
Required: No
Type: ServerSideEncryptionByDefault
Update requires: No interruption
Examples
Create a bucket with default encryption
The following example creates a bucket with server-side bucket encryption configured.
This example uses encryption with KMS keys (SSE-KMS). You can use
dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) by
specifying aws:kms:dsse for SSEAlgorithm. You can also use server-side encryption
with S3-managed keys (SSE-S3) by modifying the Amazon S3 Bucket ServerSideEncryptionByDefault property to specify
AES256 for SSEAlgorithm. For more information, see Using SSE-S3 in the Amazon S3 User Guide.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN DeletionPolicy: Delete
Create a bucket using KMS server-side encryption with an S3 Bucket Key
The following example creates a bucket that specifies default encryption using AWS KMS server-side encryption with an S3 Bucket Key. The example uses a customer managed AWS KMS key.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption using SSE-KMS with an S3 Bucket Key", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" }, "BucketKeyEnabled": true } ] } }, "DeletionPolicy": "Delete" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption using SSE-KMS with an S3 Bucket Key Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN BucketKeyEnabled: true DeletionPolicy: Delete
