Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Amazon S3 Default Encryption for S3 Buckets

Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. You can set default encryption on a bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).

When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk and decrypts it when you download the objects. For more information about protecting data using server-side encryption and encryption key management, see Protecting Data Using Server-Side Encryption.

How Do I Set Up Amazon S3 Default Encryption for an S3 Bucket?

This section describes how to set up Amazon S3 default encryption. You can use the AWS SDKs, the Amazon S3 REST API, the AWS Command Line Interface (AWS CLI), or the Amazon S3 console to enable the default encryption. The easiest way to set up default encryption for an S3 bucket is by using the AWS Management Console.

To set up default encryption on a bucket, you can use any of these methods:

After you enable default encryption for a bucket, the following encryption behavior applies:

  • There is no change to the encryption of the objects that existed in the bucket before default encryption was enabled.

  • When you upload objects after enabling default encryption:

    • If your PUT request headers don't include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects.

    • If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3.

  • If you use the SSE-KMS option for your default encryption configuration, you are subject to the RPS (requests per second) limits of AWS KMS. For more information about AWS KMS limits and how to request a limit increase, see AWS KMS limits.

To encrypt your existing Amazon S3 objects with a single request, you can use Amazon S3 batch operations. You provide Amazon S3 batch operations with a list of objects to operate on, and Amazon S3 batch operations calls the respective API to perform the specified operation. You can use the copy operation to copy the existing unencrypted objects and write the new encrypted objects to the same bucket. A single Amazon S3 batch operations job can perform the specified operation on billions of objects containing exabytes of data.

Using Default Encryption with Replication

After you enable default encryption for a replication destination bucket, the following encryption behavior applies:

  • If objects in the source bucket are not encrypted, the replica objects in the destination bucket are encrypted using the default encryption settings of the destination bucket. This results in the ETag of the source object being different from the ETag of the replica object. You must update applications that use the ETag to accommodate for this difference.

  • If objects in the source bucket are encrypted using SSE-S3 or SSE-KMS, the replica objects in the destination bucket use the same encryption as the source object encryption. The default encryption settings of the destination bucket are not used.

For more information about using default encryption with SSE-KMS, see Replicating Encrypted Objects.

Monitoring Default Encryption with CloudTrail and CloudWatch

You can track default encryption configuration requests through AWS CloudTrail events. The API event names used in CloudTrail logs are PutBucketEncryption, GetBucketEncryption, and DeleteBucketEncryption. You can also create Amazon CloudWatch Events with S3 bucket-level operations as the event type. For more information about CloudTrail events, see How Do I Enable Object-Level Logging for an S3 Bucket with CloudWatch Data Events?

You can use CloudTrail logs for object-level Amazon S3 actions to track PUT and POST requests to Amazon S3 to verify whether default encryption is being used to encrypt objects when incoming PUT requests don't have encryption headers.

When Amazon S3 encrypts an object using the default encryption settings, the log includes the following field as the name/value pair: "SSEApplied":"Default_SSE_S3" or "SSEApplied":"Default_SSE_KMS".

When Amazon S3 encrypts an object using the PUT encryption headers, the log includes the following field as the name/value pair: "SSEApplied":"SSE_S3", "SSEApplied":"SSE_KMS, or "SSEApplied":"SSE_C". For multipart uploads, this information is included in the InitiateMultipartUpload API requests. For more information about using CloudTrail and CloudWatch, see Monitoring Amazon S3.