docs.aws.amazon.com
Open in
urlscan Pro
108.157.4.85
Public Scan
Submitted URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
Effective URL: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Submission: On April 22 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Submission: On April 22 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
CustomizeAccept all
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. Amazon Simple Storage Service (S3)
5. User Guide
Feedback
Preferences
Amazon Simple Storage Service
User Guide
* What is Amazon S3?
* Getting started
* Setting up
* Step 1: Create a bucket
* Step 2: Upload an object
* Step 3: Download an object
* Step 4: Copy an object
* Step 5: Delete the objects and bucket
* Next steps
* Access control
* Tutorials
* Transforming data with S3 Object Lambda
* Detecting and redacting PII data
* Hosting video streaming
* Batch-transcoding videos
* Configuring a static website
* Configuring a static website using a custom domain
* Speeding up your website with Amazon CloudFront
* Cleaning up example resources
* Working with buckets
* Buckets overview
* Naming rules
* Creating a bucket
* Viewing bucket properties
* Methods for accessing a bucket
* Emptying a bucket
* Deleting a bucket
* Setting default bucket encryption
* Enabling default encryption
* Monitoring default encryption
* Configuring Transfer Acceleration
* Getting Started
* Enabling Transfer Acceleration
* Speed Comparison tool
* Using Requester Pays
* Configuring Requester Pays
* Retrieving the requestPayment configuration
* Downloading objects in Requester Pays buckets
* Restrictions and limitations
* Working with objects
* Objects
* Creating object keys
* Working with metadata
* Editing object metadata
* Uploading objects
* Using multipart upload
* Configuring a lifecycle policy
* Uploading an object using multipart upload
* Uploading a directory
* Listing multipart uploads
* Tracking a multipart upload
* Aborting a multipart upload
* Copying an object
* Multipart upload limits
* Copying objects
* Downloading an object
* Checking object integrity
* Deleting objects
* Deleting a single object
* Deleting multiple objects
* Organizing and listing objects
* Using prefixes
* Listing objects
* Using folders
* Viewing an object overview
* Viewing object properties
* Using presigned URLs
* Sharing objects
* Uploading objects
* Deleting an object
* Transforming objects
* Creating Object Lambda Access Points
* Using Amazon S3 Object Lambda Access Points
* Getting started with an AWS CloudFormation template
* Configuring IAM policies
* Writing Lambda functions
* Using AWS built functions
* Best practices and guidelines for S3 Object Lambda
* Security considerations
* Working with access points
* Configuring IAM policies
* Creating access points
* Creating an access point
* Creating access points restricted to a VPC
* Managing public access
* Using access points
* Monitoring and logging
* Managing access points
* Using a bucket-style alias for your access point
* Using access points
* Restrictions and limitations
* Working with Multi-Region Access Points
* Creating Multi-Region Access Points
* Configuring AWS PrivateLink
* Using a Multi-Region Access Point
* Multi-Region Access Point permissions
* Request routing
* Bucket replication
* Supported operations
* Managing Multi-Region Access Points
* Monitoring and logging
* Using CloudTrail
* Restrictions and limitations
* Security
* Data protection
* Data encryption
* Server-side encryption
* KMS keys Stored in AWS KMS
* Specifying SSE-KMS
* Using Amazon S3 Bucket Keys
* Configuring an S3 Bucket Key for your bucket
* Configuring an S3 Bucket Key for an object
* Viewing settings for an S3 Bucket Key
* Amazon S3-managed encryption keys
* Specifying SSE-S3
* Customer-provided encryption keys
* Using client-side encryption
* Internetwork privacy
* AWS PrivateLink for Amazon S3
* Identity and access management
* Overview
* Access policy guidelines
* Request authorization
* For a bucket operation
* For an object operation
* Bucket policies and user policies
* Policies and Permissions
* Resources
* Principals
* Actions
* Conditions
* Examples
* Actions, resources, and conditions
* Bucket policies
* Adding a bucket policy
* Controlling VPC access
* Bucket policy examples
* IAM user policies
* Controlling bucket access
* User policy examples
* Example walkthroughs
* Setting up tools
* Granting permissions
* Granting cross-account permissions
* Granting object permissions
* Granting cross-account object permissions
* Using service-linked roles
* AWS managed policies
* Managing access with ACLs
* ACL overview
* Finding the canonical ID
* Configuring ACLs
* Using CORS
* CORS configuration
* Configuring CORS
* Troubleshooting CORS
* Blocking public access
* Configuring account settings
* Configuring bucket and access point settings
* Reviewing bucket access
* Verifying bucket ownership
* Controlling object ownership
* Prerequisites for disabling ACLs
* Creating a bucket
* Setting Object Ownership
* Viewing Object Ownership settings
* Disabling ACLs for all new buckets
* Troubleshooting
* Logging and monitoring
* Compliance Validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Security Best Practices
* Managing storage
* Using S3 Versioning
* S3 Versioning
* Enabling versioning on buckets
* Configuring MFA delete
* Working with versioning-enabled objects
* Adding objects
* Listing objects
* Retrieving object versions
* Retrieving version metadata
* Restoring previous versions
* Deleting object versions
* Working with delete markers
* Managing delete markers
* Deleting with MFA delete
* Configuring permissions
* Working with versioning-suspended objects
* Adding objects
* Retrieving objects
* Deleting objects
* Using AWS Backup for Amazon S3
* Working with archived objects
* Archive retrieval options
* Restoring an archived object
* Querying archived objects
* Using Object Lock
* S3 Object Lock
* Configuring Object Lock on the console
* Managing Object Lock
* Managing storage classes
* Amazon S3 Intelligent-Tiering
* How S3 Intelligent-Tiering works
* Using S3 Intelligent-Tiering
* Managing S3 Intelligent-Tiering
* Managing lifecycle
* Transitioning objects
* Expiring objects
* Setting lifecycle configuration
* Using other bucket configurations
* Configuring Lifecycle event notifications
* Lifecycle configuration elements
* Examples of S3 Lifecycle configuration
* Managing inventory
* Configuring Amazon S3 Inventory
* Setting up notifications for inventory completion
* Locating your inventory
* Querying inventory with Athena
* Converting empty version ID strings to null strings
* Replicating objects
* What's replicated?
* Setting up replication
* Replication configuration
* Setting up permissions
* Replication examples
* Configuring for buckets in the same account
* Configuring for buckets in different accounts
* Changing replica owner
* Replicating encrypted objects
* Using S3 Replication Time Control
* Managing replication rules
* Replicate existing objects
* Configuring IAM policies
* Batch Replication for a first replication rule or new destination
* Batch Replication for existing replication rules
* Additional configurations
* Monitoring progress
* Viewing replication metrics using the Amazon S3 console
* Using S3 Replication Time Control
* Best practices and guidelines for S3 RTC
* Replicating delete markers
* Replicating metadata changes
* Changing the replica owner
* Replicating encrypted objects
* Getting replication status
* Troubleshooting
* Additional considerations
* Using object tags
* Access control
* Managing object tags
* Using cost allocation tags
* Billing and usage reporting
* Billing reports
* Usage report
* Understanding billing and usage reports
* Using Amazon S3 Select
* S3 Select examples
* SQL Reference
* SELECT Command
* Data Types
* Operators
* Reserved Keywords
* SQL Functions
* Aggregate Functions (Amazon S3 Select only)
* Conditional Functions
* Conversion Functions
* Date Functions
* String Functions
* Using Batch Operations
* Granting permissions
* Creating a job
* Supported operations
* Copy objects
* Examples that use Batch Operations to copy objects
* Using an inventory report to copy objects across AWS accounts
* Using a CSV manifest to copy objects across AWS accounts
* Using Batch Operations to encrypt objects with Bucket Keys
* Invoke AWS Lambda function
* Replace all object tags
* Delete all object tags
* Replace access control list
* Restore objects
* Object Lock retention
* Object Lock legal hold
* Managing jobs
* Listing jobs
* Viewing job details
* Assigning job priority
* Tracking job status and completion reports
* Examples of tracking using Amazon EventBridge
* Examples of completion reports
* Using tags
* Creating a job
* Deleting tags
* Putting job tags
* Getting job tags
* Controlling permissions
* Managing S3 Object Lock
* Enabling Object Lock
* Setting retention
* Setting retention compliance
* Setting retention governance
* Turning off legal hold
* Monitoring Amazon S3
* Monitoring tools
* Logging options
* Logging with CloudTrail
* CloudTrail events
* Example log files
* Enabling CloudTrail
* Identifying S3 requests
* Logging server access
* Enabling server access logging
* Log format
* Deleting log files
* Identifying S3 requests
* Monitoring metrics with CloudWatch
* Metrics and dimensions
* Accessing CloudWatch metrics
* CloudWatch metrics configurations
* Creating a metrics configuration for all objects
* Filtering by prefix, object tag, or access point
* Deleting a metrics filter
* Amazon S3 Event Notifications
* Notification types and destinations
* Using SQS, SNS, and Lambda
* Granting permissions
* Enabling notifications in the S3 console
* Walkthrough: Configuring SNS or SQS
* Configuring notifications using object key name filtering
* Event message structure
* Using EventBridge
* EventBridge permissions
* Enabling EventBridge
* EventBridge event message structure
* Amazon EventBridge mapping and troubleshooting
* Using analytics and insights
* Storage Class Analysis
* Configuring storage class analysis
* S3 Storage Lens
* Understanding S3 Storage Lens
* Working with Organizations
* S3 Storage Lens permissions
* Viewing storage metrics
* Viewing metrics on the dashboards
* Viewing metrics in a data export
* Encrypting metrics exports
* What is an export manifest?
* S3 Storage Lens export schema
* Monitor S3 Storage Lens metrics in CloudWatch
* S3 Storage Lens metrics and dimensions
* Enabling CloudWatch publishing
* Using CloudWatch
* Using Amazon S3 Storage Lens to optimize your storage costs
* Metrics glossary
* Working with S3 Storage Lens
* Using the S3 console
* Viewing a dashboard
* Creating and updating dashboards
* Creating a dashboard
* Updating a dashboard
* Disabling or deleting a dashboard
* Disabling a dashboard
* Deleting a dashboard
* Working with AWS Organizations
* Enabling trusted access in your organization
* Disabling trusted access in your organization
* Registering delegated admins
* Deregistering delegated admins
* Using the AWS CLI
* Using the SDK for Java
* Tracing requests using X-Ray
* Hosting a static website
* Website endpoints
* Enabling website hosting
* Configuring an index document
* Configuring a custom error document
* Setting permissions for website access
* Logging web traffic
* Configuring a redirect
* Developing with Amazon S3
* Making requests
* Making requests over IPv6
* Using dual-stack endpoints
* Making requests using the AWS SDKs
* Using AWS account or IAM user credentials
* Using IAM user temporary credentials
* Using federated user temporary credentials
* Making requests using the REST API
* Virtual hosting of buckets
* Request redirection and the REST API
* Using the AWS CLI
* Using the AWS SDKs
* Using the AWS SDK for Java
* Using the AWS SDK for .NET
* Using the AWS SDK for PHP and Running PHP Examples
* Using the AWS SDK for Ruby - Version 3
* Using the AWS SDK for Python (Boto)
* Using the AWS Mobile SDKs for iOS and Android
* Using the AWS Amplify JavaScript Library
* Using the AWS SDK for JavaScript
* Using the REST API
* Request routing
* Error handling
* The REST error response
* The SOAP error response
* Amazon S3 error best practices
* Reference
* Appendix a: Using the SOAP API
* Common SOAP API elements
* Authenticating SOAP requests
* Setting access policy with SOAP
* Appendix b: Authenticating requests (AWS signature version 2)
* Authenticating requests using the REST API
* Signing and authenticating REST requests
* Browser-based uploads using POST
* HTML forms
* Upload examples
* POST with adobe flash
* Optimizing Amazon S3 performance
* Performance Guidelines
* Performance Design Patterns
* What is S3 on Outposts?
* Setting up your Outpost
* How S3 on Outposts is different
* Getting started with S3 on Outposts
* Setting up IAM
* Using the S3 console
* Using the AWS CLI and SDK for Java
* Networking for S3 on Outposts
* Working with S3 on Outposts buckets
* Creating a bucket
* Adding tags
* Creating and managing a lifecycle configuration
* Using the console
* Using the AWS CLI and SDK for Java
* Using bucket policies
* Adding a bucket policy
* Viewing a bucket policy
* Deleting a bucket policy
* Listing buckets
* Getting a bucket
* Deleting your bucket
* Working with access points
* Creating an access point
* Viewing access point configuration
* Listing access points
* Deleting an access point
* Adding an access point policy
* Viewing an access point policy
* Working with endpoints
* Creating an endpoint
* Listing endpoints
* Deleting an endpoint
* Working with S3 on Outposts objects
* Copying an object
* Getting an object
* Listing objects
* Deleting objects
* Using HeadBucket
* Performing a multipart upload
* Security
* Managing S3 on Outposts storage
* CloudWatch metrics
* Amazon CloudWatch Events
* CloudTrail logs
* Sharing S3 on Outposts
* Other services
* Developing with S3 on Outposts
* S3 on Outposts APIs
* Configuring S3 control client
* Code examples
* Actions
* Add CORS rules to a bucket
* Add a lifecycle configuration to a bucket
* Add a policy to a bucket
* Copy an object from one bucket to another
* Create a bucket
* Delete CORS rules from a bucket
* Delete a policy from a bucket
* Delete an empty bucket
* Delete an object
* Delete multiple objects
* Delete the lifecycle configuration of a bucket
* Delete the website configuration from a bucket
* Determine the existence and content type of an object
* Determine the existence of a bucket
* Get CORS rules for a bucket
* Get an object from a bucket
* Get the ACL of a bucket
* Get the ACL of an object
* Get the Region location for a bucket
* Get the lifecycle configuration of a bucket
* Get the policy for a bucket
* Get the website configuration for a bucket
* List buckets
* List in-progress multipart uploads
* List object versions in a bucket
* List objects in a bucket
* Restore an archived copy of an object
* Set a new ACL for a bucket
* Set the ACL of an object
* Set the website configuration for a bucket
* Upload an object to a bucket
* Scenarios
* Create a presigned URL
* Getting started with buckets and objects
* Manage versioned objects in batches with a Lambda function
* Remove delete markers from versioned objects
* Use a transfer manager to upload and download files
* Work with versioned objects
* Cross-service examples
* Build an Amazon Transcribe app
* Convert text to speech and back to text
* Create an Amazon Textract explorer application
* Detect PPE in images
* Detect entities in text extracted from an image
* Detect faces in an image
* Detect objects in images
* Detect people and objects in a video
* Save EXIF and other image information
* Troubleshooting
* Troubleshooting Amazon S3 by Symptom
* Getting Amazon S3 Request IDs for AWS Support
* Document history
* AWS glossary
Setting default server-side encryption behavior for Amazon S3 buckets - Amazon
Simple Storage Service
AWSDocumentationAmazon Simple Storage Service (S3)User Guide
Using encryption for cross-account operationsUsing default encryption with
replicationUsing Amazon S3 Bucket Keys with default encryption
SETTING DEFAULT SERVER-SIDE ENCRYPTION BEHAVIOR FOR AMAZON S3 BUCKETS
PDFRSS
With Amazon S3 default encryption, you can set the default encryption behavior
for an S3 bucket so that all new objects are encrypted when they are stored in
the bucket. The objects are encrypted using server-side encryption with either
Amazon S3-managed keys (SSE-S3) or AWS KMS keys stored in AWS Key Management
Service (AWS KMS) (SSE-KMS).
When you configure your bucket to use default encryption with SSE-KMS, you can
also enable S3 Bucket Keys to decrease request traffic from Amazon S3 to AWS Key
Management Service (AWS KMS) and reduce the cost of encryption. For more
information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys.
When you use server-side encryption, Amazon S3 encrypts an object before saving
it to disk and decrypts it when you download the objects. For more information
about protecting data using server-side encryption and encryption key
management, see Protecting data using server-side encryption.
For more information about permissions required for default encryption, see
PutBucketEncryption in the Amazon Simple Storage Service API Reference.
To set up default encryption on a bucket, you can use the Amazon S3 console, AWS
CLI, AWS SDKs, or the REST API. For more information, see Enabling Amazon S3
default bucket encryption.
Encrypting existing objects
To encrypt your existing Amazon S3 objects, you can use Amazon S3 Batch
Operations. You provide S3 Batch Operations with a list of objects to operate
on, and Batch Operations calls the respective API to perform the specified
operation. You can use the Batch Operations Copy operation to copy existing
unencrypted objects and write them back to the same bucket as encrypted objects.
A single Batch Operations job can perform the specified operation on billions of
objects. For more information, see Performing large-scale batch operations on
Amazon S3 objects and the AWS Storage Blog post Encrypting objects with Amazon
S3 Batch Operations.
You can also encrypt existing objects using the Copy Object API. For more
information, see the AWS Storage Blog post Encrypting existing Amazon S3 objects
with the AWS CLI.
Note
Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as
destination buckets for Logging requests using server access logging. Only
SSE-S3 default encryption is supported for server access log destination
buckets.
USING ENCRYPTION FOR CROSS-ACCOUNT OPERATIONS
Be aware of the following when using encryption for cross-account operations:
* The AWS managed key (aws/s3) is used when a AWS KMS key Amazon Resource Name
(ARN) or alias is not provided at request time, nor via the bucket's default
encryption configuration.
* If you're uploading or accessing S3 objects using AWS Identity and Access
Management (IAM) principals that are in the same AWS account as your KMS key,
you can use the AWS managed key (aws/s3).
* Use a customer managed key if you want to grant cross-account access to your
S3 objects. You can configure the policy of a customer managed key to allow
access from another account.
* If specifying your own KMS key, you should use a fully qualified KMS key key
ARN. When using a KMS key alias, be aware that AWS KMS will resolve the key
within the requester’s account. This can result in data encrypted with a KMS
key that belongs to the requester, and not the bucket administrator.
* You must specify a key that you (the requester) have been granted Encrypt
permission to. For more information, see Allows key users to use a KMS key
for cryptographic operations in the AWS Key Management Service Developer
Guide.
For more information about when to use customer managed keys and the AWS managed
KMS keys, see Should I use an AWS managed key or a customer managed KMS key to
encrypt my objects on Amazon S3?
USING DEFAULT ENCRYPTION WITH REPLICATION
When you enable default encryption for a replication destination bucket, the
following encryption behavior applies:
* If objects in the source bucket are not encrypted, the replica objects in the
destination bucket are encrypted using the default encryption settings of the
destination bucket. This results in the ETag of the source object being
different from the ETag of the replica object. You must update applications
that use the ETag to accommodate for this difference.
* If objects in the source bucket are encrypted using SSE-S3 or SSE-KMS, the
replica objects in the destination bucket use the same encryption as the
source object encryption. The default encryption settings of the destination
bucket are not used.
For more information about using default encryption with SSE-KMS, see
Replicating encrypted objects.
USING AMAZON S3 BUCKET KEYS WITH DEFAULT ENCRYPTION
When you configure your bucket to use default encryption for SSE-KMS on new
objects, you can also configure S3 Bucket Keys. S3 Bucket Keys decrease the
number of transactions from Amazon S3 to AWS KMS to reduce the cost of
server-side encryption using AWS Key Management Service (SSE-KMS).
When you configure your bucket to use S3 Bucket Keys for SSE-KMS on new objects,
AWS KMS generates a bucket-level key that is used to create a unique data key
for objects in the bucket. This bucket key is used for a time-limited period
within Amazon S3, reducing the need for Amazon S3 to make requests to AWS KMS to
complete encryption operations.
For more information about using an S3 Bucket Key, see Using Amazon S3 Bucket
Keys.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Deleting a bucket
Enabling default encryption
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
YesNo
Provide feedback
Edit this page on GitHub
Next topic:Enabling default encryption
Previous topic:Deleting a bucket
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page
--------------------------------------------------------------------------------
* Using encryption for cross-account operations
* Using default encryption with replication
* Using Amazon S3 Bucket Keys with default encryption
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback