When I enable default encryption with AWS KMS on my Amazon S3 bucket, what happens to the objects already in the bucket?

Last updated: 2019-05-08

I want to enable default encryption using AWS Key Management Service (AWS KMS) on my Amazon Simple Storage Service (Amazon S3) bucket. I already have objects stored in the bucket. If I enable default encryption, what happens to the encryption of existing objects? 


Enabling default encryption doesn't change the encryption of objects that are already in the bucket. After you enable default encryption, the encryption that you set applies only to future uploads. For example, if you enable server-side encryption with AWS KMS (SSE-KMS) on the bucket, then any unencrypted objects already in the bucket remain unencrypted. Additionally, any objects already encrypted using Amazon S3-managed keys (SSE-S3) remain encrypted with SSE-S3.

To change the encryption of an existing object to SSE-KMS, you must re-upload the object. Or, you can copy the object over itself.

Important: To perform the upload or copy, you must have permissions to the object. If you don't own the bucket or the object, the bucket owner can delegate object permissions to you.

Did this article help you?

Anything we could improve?

Need more help?