S3 encryption (server-side and keys)

Topic: Cloud aws core

Enable server-side encryption (SSE) for S3 so objects are encrypted at rest. Use SSE-S3 (AWS-managed keys) or SSE-KMS (customer or AWS KMS key). Use this when storing sensitive data in S3 and when you need to meet encryption compliance.

Intent: How-to

Quick answer

  • SSE-S3: AWS manages keys; enable in bucket default encryption (Console or PutBucketEncryption). New objects are encrypted automatically; existing objects are not encrypted until re-uploaded or copied with encryption.
  • SSE-KMS: Use a KMS key (AWS managed or customer managed); enable in bucket encryption config. Gives audit trail in CloudTrail and control over key policy. Use bucket key to reduce KMS cost for high-throughput buckets.
  • Enforce encryption: Add bucket policy that denies s3:PutObject when encryption is not present (condition s3:x-amz-server-side-encryption). Use TLS for data in transit (HTTPS) when calling S3 APIs.

Prerequisites

Steps

  1. Enable default encryption

    S3 -> bucket -> Properties -> Default encryption -> Edit. Choose SSE-S3 or SSE-KMS; if KMS, select or create a key. Save. New uploads use this default; existing objects unchanged unless copied with encryption.

  2. SSE-KMS and bucket key

    For SSE-KMS, enable bucket key (reduces KMS API calls and cost). Use customer managed key (CMK) if you need key policy control and rotation; use AWS managed key for simplicity.

  3. Enforce in bucket policy

    Add bucket policy condition: deny s3:PutObject when request does not include s3:x-amz-server-side-encryption. Prevents unencrypted uploads even if default is set (defense in depth).

  4. In transit

    S3 APIs use HTTPS by default; ensure clients do not downgrade to HTTP. Use VPC endpoint for S3 if you want traffic to stay within the network.

Summary

Enable default encryption (SSE-S3 or SSE-KMS) on the bucket; use bucket key for KMS to reduce cost. Enforce encryption with a bucket policy deny; use HTTPS for in-transit. Use this to meet encryption requirements for S3.

Prerequisites

Steps

Step 1: Enable default encryption

Set default encryption to SSE-S3 or SSE-KMS in bucket properties. New objects are encrypted automatically.

Step 2: SSE-KMS and bucket key

Use SSE-KMS for audit and key control; enable bucket key to reduce KMS cost.

Step 3: Enforce in bucket policy

Add a bucket policy that denies PutObject without server-side encryption so no unencrypted uploads are possible.

Step 4: In transit

Use HTTPS for all S3 API calls; use VPC endpoint if traffic must stay in-network.

Verification

Default encryption is on; bucket policy denies unencrypted uploads; KMS and CloudTrail show key use if using SSE-KMS.

Troubleshooting

Existing objects not encrypted — Copy objects with encryption (e.g. aws s3 cp with —sse); or accept that only new objects are encrypted and document. KMS cost high — Enable bucket key; or use SSE-S3 for non-sensitive buckets.

Next steps

Continue to