Class PutBucketEncryptionCommandProtected

This action uses the encryption subresource to configure default encryption and Amazon S3 Bucket Keys for an existing bucket.

By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption for a bucket by using server-side encryption with Key Management Service (KMS) keys (SSE-KMS) or dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS). If you specify default encryption by using SSE-KMS, you can also configure Amazon S3 Bucket Keys. If you use PutBucketEncryption to set your default bucket encryption to SSE-KMS, you should verify that your KMS key ID is correct. Amazon S3 does not validate the KMS key ID provided in PutBucketEncryption requests.

This action requires Amazon Web Services Signature Version 4. For more information, see Authenticating Requests (Amazon Web Services Signature Version 4).

To use this operation, you must have permission to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

The following operations are related to PutBucketEncryption:

• GetBucketEncryption

• DeleteBucketEncryption

Example

Use a bare-bones client and the command you need to make an API call.

import { S3Client, PutBucketEncryptionCommand } from "@aws-sdk/client-s3"; // ES Modules import
// const { S3Client, PutBucketEncryptionCommand } = require("@aws-sdk/client-s3"); // CommonJS import
const client = new S3Client(config);
const input = { // PutBucketEncryptionRequest
  Bucket: "STRING_VALUE", // required
  ContentMD5: "STRING_VALUE",
  ChecksumAlgorithm: "CRC32" || "CRC32C" || "SHA1" || "SHA256",
  ServerSideEncryptionConfiguration: { // ServerSideEncryptionConfiguration
    Rules: [ // ServerSideEncryptionRules // required
      { // ServerSideEncryptionRule
        ApplyServerSideEncryptionByDefault: { // ServerSideEncryptionByDefault
          SSEAlgorithm: "AES256" || "aws:kms" || "aws:kms:dsse", // required
          KMSMasterKeyID: "STRING_VALUE",
        },
        BucketKeyEnabled: true || false,
      },
    ],
  },
  ExpectedBucketOwner: "STRING_VALUE",
};
const command = new PutBucketEncryptionCommand(input);
const response = await client.send(command);
// {};

Param

PutBucketEncryptionCommandInput

Returns

PutBucketEncryptionCommandOutput

See

• PutBucketEncryptionCommandInput for command's input shape.
• PutBucketEncryptionCommandOutput for command's response shape.
• config for S3Client's config shape.

Throws

S3ServiceException

Base exception class for all service exceptions from S3 service.