Data at Rest Encryption with Amazon S3 - AWS Key Management Service Best Practices

Data at Rest Encryption with Amazon S3

Using Amazon S3, it’s possible to deploy an S3 bucket policy that ensures that all objects being uploaded are encrypted. The policy looks like the following:

{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aws:kms" } } } ] }

Note that this doesn’t cause objects already in the bucket to be encrypted. This policy denies attempts to add new objects to the bucket unless those objects are encrypted. Objects already in the bucket before this policy is applied will remain either encrypted or unencrypted based on how they were first uploaded.