AWS::S3::Bucket ServerSideEncryptionRule - AWS CloudFormation

AWS::S3::Bucket ServerSideEncryptionRule

Specifies the default server-side encryption configuration.


To declare this entity in your AWS CloudFormation template, use the following syntax:



Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.

Required: No

Type: ServerSideEncryptionByDefault

Update requires: No interruption


Create a bucket with default encryption

The following example creates a bucket with server-side bucket encryption configured. This example uses KMS-managed keys. You can use S3-managed keys instead by modifying the Amazon S3 Bucket ServerSideEncryptionByDefault property.


{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } }


AWSTemplateFormatVersion: '2010-09-09' Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: KMS-KEY-ARN DeletionPolicy: Delete