Using server-side encryption with Amazon S3 managed keys(SSE-S3)

Important

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS Command Line Interface and AWS SDKs. For more information, see Default encryption FAQ.

All new object uploads to Amazon S3 buckets are encrypted by default with server-side encryptionwith Amazon S3 managed keys (SSE-S3).

Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key.As an additional safeguard, it encrypts the key itself with a key that it rotates regularly.Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects.

There are no additional fees for using server-side encryption with Amazon S3 managed keys(SSE-S3). However, requests to configure the default encryption feature incur standard Amazon S3request charges. For information about pricing, seeAmazon S3 pricing .

If you require your data uploads to be encrypted using only Amazon S3 managed keys, you can usethe following bucket policy. For example, the following bucket policy denies permissions toupload an object unless the request includes thex-amz-server-side-encryptionheader to request server-side encryption:


{  "Version": "2012-10-17",  "Id": "PutObjectPolicy",  "Statement": [{      "Sid": "DenyObjectsThatAreNotSSES3",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:PutObject",      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",      "Condition":{        "StringNotEquals":{          "s3:x-amz-server-side-encryption": "AES256"        }      }    }   ]}

Note

Server-side encryption encrypts only the object data, not the object metadata.

API support for server-sideencryption

All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3PUT requests, or you can update the default encryption configuration in the destination bucket.

If you want to specify a different encryption type in yourPUT requests, you can use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), dual-layer server-side encryption with AWS KMS keys (DSSE-KMS), or server-side encryption with customer-provided keys (SSE-C). If you want to set a different default encryption configuration in the destination bucket, you can use SSE-KMS or DSSE-KMS.

For more information about changing the default encryption configuration for your general purpose buckets, see Configuring default encryption.

When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use theCopy objects action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, seePerforming object operations in bulk with Batch Operations and theAWS Storage Blog postHow to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations .

To configure server-side encryption by using the object creation REST APIs, you mustprovide thex-amz-server-side-encryption request header. For informationabout the REST APIs, seeUsing the REST API.

The following Amazon S3 APIs support this header:

PUT operations – Specify the requestheader when uploading data using thePUT API. For more information,seePUT Object.
Initiate Multipart Upload – Specifythe header in the initiate request when uploading large objects using themultipart upload API operation. For more information, seeInitiate MultipartUpload.
COPY operations – When you copy anobject, you have both a source object and a target object. For more information,seePUT Object -Copy.

Note

When using aPOST operation to upload an object, instead of providingthe request header, you provide the same information in the form fields. For moreinformation, see POST Object.

The AWS SDKs also provide wrapper APIs that you can use torequest server-side encryption. You can also use the AWS Management Console to upload objects andrequest server-side encryption.