How can I use AWS KMS to encrypt a specific folder in my Amazon S3 bucket?

3 minute read
0

I want to encrypt a specific folder in my Amazon Simple Storage Service (Amazon S3) bucket with an AWS Key Management Service (AWS KMS) key.

Resolution

Use the Amazon S3 console

  1. Open the Amazon S3 console.
  2. Navigate to the folder that you want to encrypt.
    Warning: If your folder contains a large number of objects, you might experience a throttling error. To avoid throttling errors, increase your Amazon S3 request limits on your Amazon S3 bucket. For more troubleshooting tips on throttling errors, see Why am I receiving a ThrottlingExceptions error when making requests to AWS KMS?
  3. Select the folder, and then choose Actions.
  4. Choose Edit server-side encryption.
  5. For Enabling Server-side encryption, choose Enable.
  6. For your AWS Key Management Service key (SSE-KMS), choose Encryption key type.
  7. Select the AWS KMS key that you want to use for folder encryption.
    Note: The key named aws/s3 is a default key that AWS KMS manages. You can encrypt the folder with either the default key or a custom key.
  8. Choose Save changes.

Use the AWS CLI

You can't change the encryption of an existing folder from an AWS Command Line Interface (AWS CLI) command. Instead, run a command that copies the folder over itself with AWS KMS encryption turned on.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

To encrypt the files with the default AWS KMS key (aws/s3), run the following command:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms

This command syntax copies the folder over itself with AWS KMS encryption.

To encrypt the files using a custom AWS KMS key, run the following command:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms --sse-kms-key-id a1b2c3d4-e5f6-7890-g1h2-123456789abc

Note: Replace --sse-kms-key-id with your own key ID.

Require that future uploads encrypt objects with AWS KMS

After you change the encryption setting, this encrypts only the objects that are already in the folder. You can upload objects after this change without encryption. To require that future uploads encrypt objects with AWS KMS, use a bucket policy like the following example:

{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": true
        }
      }
    }
  ]
}

This bucket policy denies access to s3:PutObject on docexamplebucket/docexamplefolder/* unless the request includes server-side encryption with AWS KMS.

Related information

Using server-side encryption with AWS KMS keys (SSE-KMS)

AWS OFFICIAL
AWS OFFICIALUpdated a year ago