How do I add encryption to an S3 object? - Amazon Simple Storage Service

How do I add encryption to an S3 object?

This topic describes how to set or change the type of encryption an object is using.

To add or change encryption for an object

  1. Sign in to the AWS Management Console and open the Amazon S3 console at

  2. In the Bucket name list, choose the name of the bucket that contains the object.

  3. In the Name list, choose the name of the object that you want to add or change encryption for.

  4. Choose Properties, and then choose Encryption.

    The Encryption dialog opens, giving you three choices for object encryption:

    • None‐ No object encryption.

    • AES-256 ‐ Server-side encryption with Amazon S3‐managed keys (SSE-S3).

    • AWS‐KMS ‐ Server-side encryption with AWS Key Management Service (AWS KMS) customer master keys (SSE-KMS).

  5. If you want to remove encryption from an object that already has encryption settings, choose None and Save.

  6. If you want to encrypt your object using keys that are managed by Amazon S3, follow these steps:

    1. ChooseAES-256.

      For more information about using Amazon S3 server-side encryption to encrypt your data, see Protecting Data with Amazon S3-Managed Encryption Keys Classes in the Amazon Simple Storage Service Developer Guide.

    2. Choose Save.

  7. If you want to encrypt your object using AWS KMS, follow these steps:

    1. Choose AWS-KMS.

    2. Choose an AWS KMS CMK.

      The list shows Customer managed CMKs that you have created and your AWS managed CMK for Amazon S3. For more information about creating a customer managed AWS KMS CMK, see Creating Keys in the AWS Key Management Service Developer Guide.

    3. Choose Save.


    To encrypt objects in the bucket, you can use only CMKs that are enabled in the same AWS Region as the bucket. Amazon S3 only supports symmetric CMKs. Amazon S3 does not support asymmetric CMKs. For more information, see Using Symmetric and Asymmetric Keys.

  8. To give an external account the ability to use an object that is protected by an AWS KMS CMK, follow these steps:

    1. Choose AWS-KMS.

    2. Type the Amazon Resource Name (ARN) for the external account.

    3. Choose Save.

      Administrators of an external account that have usage permissions to an object protected by your AWS KMS CMK can further restrict access by creating a resource-level AWS Identity and Access Management (IAM) policy.

More info