Prevent Amazon S3 unencrypted object uploads

Example SCPs for Amazon S3

Note

Amazon Simple Storage Service (Amazon S3) automatically applies server-side encryption (SSE-S3) for each new object, unless you specify a different encryption option. For more information, see Amazon S3 now automatically encrypts all new objects in the Amazon S3 User Guide.

Topics

Prevent Amazon S3 unencrypted object uploads

Prevent Amazon S3 unencrypted object uploads

The following policy restricts all users from uploading unencrypted objects to S3 buckets.


{
  "Effect": "Deny",
  "Action": "s3:PutObject",
  "Resource": "*",
  "Condition": {
    "Null": {
      "s3:x-amz-server-side-encryption": "true"
    }
  }
}

The following policy restricts all users from uploading unencrypted objects to S3 buckets and also enforces a specified encryption type (either AES256 or aws:kms) for object upload in their buckets.


[
  {
    "Effect": "Deny",
    "Action": "s3:PutObject",
    "Resource": "*",
    "Condition": {
      "Null": {
        "s3:x-amz-server-side-encryption": "true"
      }
    }
  },
  {
    "Effect": "Deny",
    "Action": "s3:PutObject",
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "s3:x-amz-server-side-encryption": "AES256"
      }
    }
  }
]

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ARC

Tagging