Set S3 default encryption with AWS KMS
📑 On this page
Part 26 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
SSE-KMS gives AWS KMS control and audit visibility around the encryption key. This example uses the AWS managed key alias/aws/s3; customer managed keys come later.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
Cost note: SSE-KMS requests can create KMS request charges. S3 Bucket Keys can reduce KMS request traffic for supported workloads.
The command
aws s3api put-bucket-encryption \
--bucket "$BUCKET" \
--server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"alias/aws/s3"},"BucketKeyEnabled":true}]}'A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-bucket-encryption \
--bucket "$BUCKET" \
--query "ServerSideEncryptionConfiguration.Rules[].{Algorithm:ApplyServerSideEncryptionByDefault.SSEAlgorithm,Key:ApplyServerSideEncryptionByDefault.KMSMasterKeyID,BucketKey:BucketKeyEnabled}" \
--output tableRead the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
echo "kms demo" > kms-demo.txt
aws s3 cp kms-demo.txt "s3://$BUCKET/kms-demo.txt"
aws s3api head-object --bucket "$BUCKET" --key kms-demo.txt \
--query "{Encryption:ServerSideEncryption,Key:SSEKMSKeyId,BucketKey:BucketKeyEnabled}"Change only this one option so the effect stays easy to understand and reverse.
Common mistake
Do not confuse KMS permissions with S3 permissions. Uploading and reading SSE-KMS objects may require both S3 actions and KMS actions. For cross-account or customer-key use, prefer a full KMS key ARN instead of an alias.
Cleanup
aws s3 rm "s3://$BUCKET/kms-demo.txt"
rm kms-demo.txt
aws s3api put-bucket-encryption \
--bucket "$BUCKET" \
--server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'The cleanup returns the demo bucket to an explicit SSE-S3 default instead of removing encryption.
Next, we will learn Inspect S3 bucket encryption deeply.