Amazon Simple Storage Service
API Reference (API Version 2006-03-01)


This implementation of the PUT operation uses the encryption subresource to set the default encryption state of an existing bucket.

This implementation of the PUT operation sets default encryption for a buckets using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS customer master keys (CMKs) (SSE-KMS) bucket.


This operation requires AWS Signature Version 4. For more information, see Authenticating Requests (AWS Signature Version 4).

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon Simple Storage Service Developer Guide.

Request Syntax

PUT /?encryption HTTP/1.1 Host: Content-MD5: ContentMD5 <?xml version="1.0" encoding="UTF-8"?> <ServerSideEncryptionConfiguration xmlns=""> <Rule> <ApplyServerSideEncryptionByDefault> <KMSMasterKeyID>string</KMSMasterKeyID> <SSEAlgorithm>string</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> ... </ServerSideEncryptionConfiguration>

URI Request Parameters

The request requires the following URI parameters.


Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3) or customer master keys stored in AWS KMS (SSE-KMS). For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption in the Amazon Simple Storage Service Developer Guide.


The base64-encoded 128-bit MD5 digest of the server-side encryption configuration. This parameter is auto-populated when using the command from the CLI.

Request Body

The request accepts the following data in XML format.


Root level tag for the ServerSideEncryptionConfiguration parameters.

Required: Yes


Container for information about a particular server-side encryption configuration rule.

Type: Array of ServerSideEncryptionRule data types

Required: Yes

Response Syntax

HTTP/1.1 200

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.


In the request, you specify the encryption configuration in the request body. The encryption configuration is specified as XML, as shown in the following examples that show setting encryption using SSE-S3 or SSE-KMS.

Request Body for Setting SSE-S3

<ServerSideEncryptionConfiguration xmlns=""> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>

Request Body for Setting SSE-KMS

<ServerSideEncryptionConfiguration xmlns=""> <Rule> <ApplyServerSideEncryptionByDefault> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>

Set the Default Encryption Configuration for an S3 Bucket

The following is an example of a PUT /? encryption request that specifies to use AWS KMS encryption.

PUT /?cors HTTP/1.1 Host: x-amz-date: Tue, 21 Aug 2012 17:54:50 GMT Content-MD5: 8dYiLewFWZyGgV2Q5FNI4W== Authorization: authorization string Content-Length: 216 <CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>PUT</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>DELETE</AllowedMethod> <AllowedHeader>*</AllowedHeader> <MaxAgeSeconds>3000</MaxAgeSec> <ExposeHeader>x-amz-server-side-encryption</ExposeHeader> </CORSRule> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader>*</AllowedHeader> <MaxAgeSeconds>3000</MaxAgeSeconds> </CORSRule> </CORSConfiguration>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: