Amazon Simple Storage Service
Console User Guide

How Do I Add Encryption to an S3 Object?

This topic describes how to set or change the type of encryption an object is using.

To add encryption to an object

  1. Sign in to the AWS Management Console and open the Amazon S3 console at

  2. In the Bucket name list, choose the name of the bucket that contains the object.

  3. In the Name list, choose the name of the object that you want to add encryption to.

  4. Choose Properties, and then choose Encryption.

  5. Select AES-256 or AWS-KMS.

    1. To encrypt your object using keys that are managed by Amazon S3, select AES-256. For more information about using Amazon S3 server-side encryption to encrypt your data, see Protecting Data with Amazon S3-Managed Encryption Keys Classes in the Amazon Simple Storage Service Developer Guide.

    2. To encrypt your object using AWS Key Management Service (AWS KMS), choose AWS-KMS, choose a master key from the list of the AWS KMS master keys that you have created, and then choose Save.


      To encrypt objects in the bucket, you can use only keys that are enabled in the same AWS Region as the bucket.

      For more information about creating an AWS KMS key, see Creating Keys in the AWS Key Management Service Developer Guide. For more information, see Protecting Data with AWS KMS–Managed Key in the Amazon Simple Storage Service Developer Guide.

      You can give an external account the ability to use an object that is protected by an AWS KMS key. To do this, select Custom KMS ARN from the list, type the Amazon Resource Name (ARN) for the external account, and then choose Save. Administrators of an external account that have usage permissions to an object protected by your AWS KMS key can further restrict access by creating a resource-level AWS Identity and Access Management (IAM) policy.

More Info

On this page: