How do I add encryption to an S3 object? - Amazon Simple Storage Service

How do I add encryption to an S3 object?

This topic describes how to set or change the type of encryption an object using the Amazon S3 console.


If you change an object's encryption, a new object is created to replace the old one. If S3 Versioning is enabled, a new version of the object is created, and the existing object becomes an older version. The role that changes the property also becomes the owner of the new object or (object version).

To add or change encryption for an object

  1. Sign in to the AWS Management Console and open the Amazon S3 console at

  2. In the Bucket name list, choose the name of the bucket that contains the object.

  3. In the Name list, choose the name of the object that you want to add or change encryption for.

  4. Choose Properties, and then choose Encryption.

    The Encryption dialog box opens, giving you three choices for object encryption:

    • None‐ No object encryption.

    • AES-256 ‐ Server-side encryption with Amazon S3 managed keys (SSE-S3).

    • AWS‐KMS ‐ Server-side encryption with AWS Key Management Service (AWS KMS) customer master keys (SSE-KMS).

  5. If you want to remove encryption from an object that already has encryption settings, choose None and then choose Save.

          Console screenshot of the encryption dialog box with the none option
  6. If you want to encrypt your object using keys that are managed by Amazon S3, follow these steps:

    1. ChooseAES-256.

      For more information about using Amazon S3 server-side encryption to encrypt your data, see Protecting Data with Amazon S3-Managed Encryption Keys Classes in the Amazon Simple Storage Service Developer Guide.

    2. Choose Save.

              Console screenshot of the encryption dialog box with the AES-256 option
  7. If you want to encrypt your object using AWS KMS, follow these steps:

    1. Choose AWS-KMS.

    2. Choose an AWS KMS customer master key (CMK).

      The list shows customer managed CMKs that you have created and your AWS managed CMK for Amazon S3. For more information about creating a customer managed AWS KMS CMK, see Creating Keys in the AWS Key Management Service Developer Guide.


      The Amazon S3 console lists only 100 AWS KMS CMKs per AWS Region. If you have more than 100 CMKs in the same Region, you can see only the first 100 CMKs in the S3 console. To use a KMS CMK that is not listed in the console, choose Custom KMS ARN, and enter the KMS CMK ARN.

    3. Choose Save.


    To encrypt objects in the bucket, you can use only CMKs that are enabled in the same AWS Region as the bucket. Amazon S3 only supports symmetric CMKs. Amazon S3 does not support asymmetric CMKs. For more information, see Using Symmetric and Asymmetric Keys.

  8. To give an external account the ability to use an object that is protected by an AWS KMS CMK, follow these steps:

    1. Choose AWS-KMS.

    2. Enter the Amazon Resource Name (ARN) for the external account.

    3. Choose Save.

      Administrators of an external account that have usage permissions to an object protected by your AWS KMS CMK can further restrict access by creating a resource-level AWS Identity and Access Management (IAM) policy.


This action applies encryption to all specified objects. When encrypting folders, wait for the save operation to finish before adding new objects to the folder.

More info