← All posts
2 min read

Set S3 default encryption with SSE-S3

#aws#cli#s3#storage#security
📑 On this page

Part 25 of AWS from Zero. Today we make a bucket's SSE-S3 default encryption configuration explicit and inspectable.

What we are learning

Amazon S3 automatically applies server-side encryption with S3-managed keys, called SSE-S3, to new uploads. An explicit bucket configuration documents the intended default and can be checked by automation.

SSE-S3 uses the AES256 algorithm name in S3 API responses.

Before you run it

REGION="ap-south-1"
BUCKET="aws-zero-sse-s3-12345"
 
aws s3api create-bucket \
  --bucket "$BUCKET" \
  --region "$REGION" \
  --create-bucket-configuration LocationConstraint="$REGION"

Set the default

aws s3api put-bucket-encryption \
  --bucket "$BUCKET" \
  --server-side-encryption-configuration \
  '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

The command produces no output when it succeeds.

Inspect the bucket configuration

aws s3api get-bucket-encryption \
  --bucket "$BUCKET" \
  --query "ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault" \
  --output table

The algorithm should be AES256.

Upload and inspect an object

echo "encrypted by default" > secret.txt
aws s3 cp secret.txt "s3://$BUCKET/secret.txt"
 
aws s3api head-object \
  --bucket "$BUCKET" \
  --key "secret.txt" \
  --query "{Encryption:ServerSideEncryption,Size:ContentLength}" \
  --output table

The object should report AES256.

One tiny variation

You can also request SSE-S3 on one upload:

aws s3api put-object \
  --bucket "$BUCKET" \
  --key "explicit-secret.txt" \
  --body secret.txt \
  --server-side-encryption AES256

Common mistake

Server-side encryption protects data at rest. It does not make an object private by itself, replace IAM and bucket policies, or protect data after an authorized download.

Also remember that encryption settings apply to new writes. Changing a bucket default does not rewrite existing objects.

Cleanup

aws s3 rm "s3://$BUCKET/" --recursive
aws s3api delete-bucket --bucket "$BUCKET" --region "$REGION"
rm secret.txt

Next, we will compare SSE-S3 with default encryption using AWS KMS.

AWS CLI put-bucket-encryption reference