ServerSideEncryptionByDefault
Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see PUT Bucket encryption in the Amazon S3 API Reference.
Note
If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
Contents
- SSEAlgorithm
-
Server-side encryption algorithm to use for the default encryption.
Type: String
Valid Values:
AES256 | aws:kms | aws:kms:dsse
Required: Yes
- KMSMasterKeyID
-
AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if
SSEAlgorithm
is set toaws:kms
oraws:kms:dsse
.You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
-
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
-
Key Alias:
alias/alias-name
If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.
Important
Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide.
Type: String
Required: No
-
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: