Default Encryption vs. Bucket Policies in Amazon S3

Amazon S3 provides default encryption and bucket policies to enforce encryption on stored objects. While default encryption ensures that objects are automatically encrypted, bucket policies offer stricter enforcement by denying non-compliant requests.

1. Default Encryption in Amazon S3

• Enabled by default using SSE-S3 (Server-Side Encryption with S3-Managed Keys).
• Applied automatically to all new objects in a bucket.
• Can be changed to SSE-KMS if you prefer AWS Key Management Service (KMS) for encryption control.

Changing Default Encryption to SSE-KMS

To switch from SSE-S3 to SSE-KMS, update the default encryption settings in the S3 Management Console or use the AWS CLI:

aws s3api put-bucket-encryption --bucket your-bucket-name --server-side-encryption-configuration '{
    "Rules": [{
        "ApplyServerSideEncryptionByDefault": {
            "SSEAlgorithm": "aws:kms",
            "KMSMasterKeyID": "your-kms-key-id"
        }
    }]
}'

2. Enforcing Encryption with a Bucket Policy

While default encryption automatically encrypts objects, bucket policies allow you to reject uploads that don't comply with your encryption standards.

Example Bucket Policy for SSE-KMS

This policy denies any PUT request that does not specify SSE-KMS encryption:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::your-bucket-name/*",
  "Condition": {
    "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "aws:kms"
    }
  }
}

Example Bucket Policy for SSE-C

To enforce customer-managed encryption (SSE-C), deny uploads that do not specify SSE-C:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::your-bucket-name/*",
  "Condition": {
    "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "AES256"
    }
  }
}