Set S3 default encryption with SSE-S3
📑 On this page
Part 25 of AWS from Zero. Today we make a bucket's SSE-S3 default encryption configuration explicit and inspectable.
What we are learning
Amazon S3 automatically applies server-side encryption with S3-managed keys, called SSE-S3, to new uploads. An explicit bucket configuration documents the intended default and can be checked by automation.
SSE-S3 uses the AES256 algorithm name in S3 API responses.
Before you run it
REGION="ap-south-1"
BUCKET="aws-zero-sse-s3-12345"
aws s3api create-bucket \
--bucket "$BUCKET" \
--region "$REGION" \
--create-bucket-configuration LocationConstraint="$REGION"Set the default
aws s3api put-bucket-encryption \
--bucket "$BUCKET" \
--server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'The command produces no output when it succeeds.
Inspect the bucket configuration
aws s3api get-bucket-encryption \
--bucket "$BUCKET" \
--query "ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault" \
--output tableThe algorithm should be AES256.
Upload and inspect an object
echo "encrypted by default" > secret.txt
aws s3 cp secret.txt "s3://$BUCKET/secret.txt"
aws s3api head-object \
--bucket "$BUCKET" \
--key "secret.txt" \
--query "{Encryption:ServerSideEncryption,Size:ContentLength}" \
--output tableThe object should report AES256.
One tiny variation
You can also request SSE-S3 on one upload:
aws s3api put-object \
--bucket "$BUCKET" \
--key "explicit-secret.txt" \
--body secret.txt \
--server-side-encryption AES256Common mistake
Server-side encryption protects data at rest. It does not make an object private by itself, replace IAM and bucket policies, or protect data after an authorized download.
Also remember that encryption settings apply to new writes. Changing a bucket default does not rewrite existing objects.
Cleanup
aws s3 rm "s3://$BUCKET/" --recursive
aws s3api delete-bucket --bucket "$BUCKET" --region "$REGION"
rm secret.txtNext, we will compare SSE-S3 with default encryption using AWS KMS.