Menu
Amazon Simple Storage Service
API Reference (API Version 2006-03-01)

GET Bucket encryption

Description

This implementation of the GET operation uses the encryption subresource to return the default encryption configuration for an Amazon S3 bucket. For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption in the Amazon Simple Storage Service Developer Guide.

To use this operation, you must have permission to perform the s3:GetEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon Simple Storage Service Developer Guide.

Requests

Syntax

Copy
GET /?encryption HTTP/1.1 Host: bucketname.s3.amazonaws.com Content-Length: length Date: date Authorization: authorization string (see Authenticating Requests (AWS Signature Version 4))

Request Parameters

This implementation of the operation does not use request parameters.

Request Headers

This implementation of the operation uses only request headers that are common to all operations. For more information, see Common Request Headers.

Request Elements

This implementation of the operation does not use request elements.

Responses

Response Headers

This implementation of the operation uses only response headers that are common to most responses. For more information, see Common Response Headers.

Response Elements

This implementation of GET returns the following response elements.

Name Description
ApplyServerSideEncryptionByDefault

Container for setting server-side encryption by default.

Type: Container

Children: SSEAlgorithm, KMSMasterKeyID

Ancestor: Rule

KMSMasterKeyID

The AWS KMS master key ID used for the SSE-KMS encryption.

Type: String

Ancestor: ApplyServerSideEncryptionByDefault

Constraint: Can only be used when you set the value of SSEAlgorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the SSEAlgorithm is aws:kms.

Rule

Container for server-side encryption by default configuration.

Type: Container

Children: ApplyServerSideEncryptionByDefault

Ancestor: ServerSideEncryptionConfiguration

ServerSideEncryptionConfiguration

Container for the server-side encryption by default configuration rule.

Type: Container

Children: Rule

Ancestor: None

SSEAlgorithm

The server-side encryption algorithm to use.

Type: String

Valid Values: AES256, aws:kms

Ancestor: ApplyServerSideEncryptionByDefault

Constraint: Can only be used when you use ApplyServerSideEncryptionByDefault.

Special Errors

This implementation of the operation does not return special errors. For general information about Amazon S3 errors and a list of error codes, see Error Responses.

Examples

Example 1: Retrieve the Encryption Configuration for an S3 Bucket

The following example shows a GET /?encryption request.

Copy
GET /?encryption HTTP/1.1 Host: examplebucket.s3.amazonaws.com Date: Wed, 06 Sep 2017 12:00:00 GMT Authorization: authorization string Content-Length: length

The following is a sample of the response.

Copy
HTTP/1.1 200 OK x-amz-id-2: kDmqsuw5FDmgLmxQaUkd9A4NJ/PIiE0c1rAU/ue2Yp60toXs4I5k5fqlwZsA6fV+wJQCzRRwygQ= x-amz-request-id: 5D8706FCB2673B7D Date: Wed, 06 Sep 2017 12:00:00 GMT Transfer-Encoding: chunked Server: AmazonS3 <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>aws:kms</SSEAlgorithm> <KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration>