Description: S3 default encryption provides a way to set the default encryption behavior for an Amazon S3 bucket. You can set default encryption on a bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs).

Rationale: Server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centers and decrypts it when you download the objects. For more information about protecting data using server-side encryption and encryption key management


To enable default encryption on an Amazon S3 bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at
  2. In the Bucket name list, choose the name of the bucket that you want.
  3. Choose Properties.
  4. Choose Default encryption.
  5. If you want to use keys that are managed by Amazon S3 for default encryption, choose AES-256, and choose Save.
  6. If you want to use CMKs that are stored in AWS KMS for default encryption, follow these steps:

    a Choose AWS-KMS.

    b. To choose a customer-managed AWS KMS CMK that you have created, use one of these methods: In the list that appears, choose the AWS KMS CMK. In the list that appears, choose Custom KMS ARN, and then enter the Amazon Resource Name of the AWS KMS CMK.

  7. Choose Save.

Default:  Default encryption works with all existing and new Amazon S3 buckets. Without default encryption, to encrypt all objects stored in a bucket, you must include encryption information with every object storage request. You must also set up an Amazon S3 bucket policy to reject storage requests that don't include encryption information.