What bucket policy should I use with default encryption on my Amazon S3 bucket?
Last updated: 2019-02-28
I enabled default encryption on my Amazon Simple Storage Service (Amazon S3) bucket. Do I need to change my bucket policy to be sure that objects stored on my bucket are encrypted?
No, you don't need to update your bucket policy. If you enable default encryption and a user uploads an object without encryption information, Amazon S3 uses the default encryption method that you specify. If a user specifies encryption information in the PUT request, Amazon S3 uses the encryption specified in the request. This behavior applies to encryption with either keys managed by Amazon S3, labeled as SSE-S3 keys, or keys managed by AWS Key Management Service (AWS KMS), labeled as SSE-KMS keys.
For more information on encryption behavior after you enable default encryption, see Setting default server-side encryption behavior for Amazon S3 buckets.
Important: For users to access objects after you enable default encryption using a custom AWS KMS key, you must also grant those users the permissions to use the key on the key policy or their AWS Identity and Access Management (IAM) policy. For instructions on how to grant users these permissions, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?