← All posts
2 min read

Set S3 default encryption with AWS KMS

#aws#cli#s3#storage#security#kms
📑 On this page

Part 26 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

SSE-KMS gives AWS KMS control and audit visibility around the encryption key. This example uses the AWS managed key alias/aws/s3; customer managed keys come later.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

Cost note: SSE-KMS requests can create KMS request charges. S3 Bucket Keys can reduce KMS request traffic for supported workloads.

The command

aws s3api put-bucket-encryption \
  --bucket "$BUCKET" \
  --server-side-encryption-configuration \
  '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"alias/aws/s3"},"BucketKeyEnabled":true}]}'

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-encryption \
  --bucket "$BUCKET" \
  --query "ServerSideEncryptionConfiguration.Rules[].{Algorithm:ApplyServerSideEncryptionByDefault.SSEAlgorithm,Key:ApplyServerSideEncryptionByDefault.KMSMasterKeyID,BucketKey:BucketKeyEnabled}" \
  --output table

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

echo "kms demo" > kms-demo.txt
aws s3 cp kms-demo.txt "s3://$BUCKET/kms-demo.txt"
aws s3api head-object --bucket "$BUCKET" --key kms-demo.txt \
  --query "{Encryption:ServerSideEncryption,Key:SSEKMSKeyId,BucketKey:BucketKeyEnabled}"

Change only this one option so the effect stays easy to understand and reverse.

Common mistake

Do not confuse KMS permissions with S3 permissions. Uploading and reading SSE-KMS objects may require both S3 actions and KMS actions. For cross-account or customer-key use, prefer a full KMS key ARN instead of an alias.

Cleanup

aws s3 rm "s3://$BUCKET/kms-demo.txt"
rm kms-demo.txt
aws s3api put-bucket-encryption \
  --bucket "$BUCKET" \
  --server-side-encryption-configuration \
  '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

The cleanup returns the demo bucket to an explicit SSE-S3 default instead of removing encryption.

Next, we will learn Inspect S3 bucket encryption deeply.

Official AWS CLI reference