Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
Amazon S3 supports bucket policies that you can use if you require server-side
encryption for all objects that are stored in your bucket. For example, the following bucket
policy denies upload object (s3:PutObject
) permission to everyone if the
request does not include the x-amz-server-side-encryption
header requesting
server-side encryption.
Copy{ "Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::
YourBucket
/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket
/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] }
Server-side encryption encrypts only the object data. Any object metadata is not encrypted.
API Support for Server-Side Encryption
The object creation REST APIs (see Specifying Server-Side Encryption Using the REST API) provide a request header,
x-amz-server-side-encryption
that you can use to request server-side
encryption.
The following Amazon S3 APIs support these headers.
-
PUT operation — When uploading data using the PUT API (see PUT Object), you can specify these request headers.
-
Initiate Multipart Upload — When uploading large objects using the multipart upload API, you can specify these headers. You specify these headers in the initiate request (see Initiate Multipart Upload).
-
POST operation — When using a POST operation to upload an object (see POST Object), instead of the request headers, you provide the same information in the form fields.
-
COPY operation — When you copy an object (see PUT Object - Copy), you have both a source object and a target object.
The AWS SDKs also provide wrapper APIs for you to request server-side encryption. You can also use the AWS Management Console to upload objects and request server-side encryption.
Note
You can't enforce whether or not objects are encrypted with SSE-S3 when they are uploaded using pre-signed URLs. This is because the only way you can specify server-side encryption is through the AWS Management Console or through an HTTP request header. For more information, see Specifying Conditions in a Policy.