When I activate default encryption on my Amazon S3 bucket, do I need to update my bucket policy so that objects in the bucket are encrypted?

2 minute read
0

I activated default encryption on my Amazon Simple Storage Service (Amazon S3) bucket. But I'm not sure whether I need to change my bucket policy to make sure that objects stored in my bucket are encrypted.

Resolution

No, you don't need to update your bucket policy to make sure that objects stored in your bucket are encrypted. If you activate default encryption, and a user uploads an object without encryption information, then Amazon S3 uses the default encryption method that you specify. If a user specifies encryption information in the PUT request, then Amazon S3 uses the encryption specified in the request.

This behavior applies to encryption with the following key types:

  • Amazon S3 managed keys (labeled SSE-S3)
  • AWS Key Management Service (AWS KMS) managed keys (labeled aws/s3).

For more information on encryption behavior after you activate default encryption, see Setting default server-side encryption behavior for Amazon S3 buckets.

Important: If you specify a custom managed AWS KMS key, then you must grant users additional permissions to be able to access objects.

Grant AWS IAM users permissions to use the key

You can grant AWS Identity and Access Management (IAM) users permissions to use the key on the user policies. The policy that you use depends on whether the IAM user is in the same account as the key.

If the IAM user is in a different account than the key and the S3 bucket, then the key and IAM user policies must grant the required permissions.

Related information

Key policies in AWS KMS

AWS KMS concepts

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago