How can I encrypt a specific folder in my Amazon S3 bucket using AWS KMS?

Last updated: 2021-01-05

I want to encrypt a specific folder in my Amazon Simple Storage Service (Amazon S3) bucket with an AWS Key Management Service (AWS KMS) key. How can I do that?

Resolution

Encrypting a folder using the Amazon S3 console

1.    Open the Amazon S3 console.

2.    Navigate to the folder that you want to encrypt.

3.    Select the folder, and then choose Actions.

4.    Choose Edit server-side encryption.

5.    Select Enable for Enabling Server-side encryption.

6.    Choose Encryption key type for your AWS Key Management Service key (SSE-KMS).

7.    Select the AWS KMS key that you want to use for folder encryption.

Note: The key named aws/s3 is a default key managed by AWS KMS. You can encrypt the folder with either the default key or a custom key.

8.    Choose Save changes.

Encrypting a folder using the AWS CLI

Note: You can't change the encryption of an existing folder using an AWS Command Line Interface (AWS CLI) command. Instead, you can run a command that copies the folder over itself with AWS KMS encryption enabled.

To encrypt the files using the default AWS KMS key (aws/s3), run the following command:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms

This command syntax copies the folder over itself with AWS KMS encryption.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

To encrypt the files using a custom AWS KMS key, run the following command:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms --sse-kms-key-id a1b2c3d4-e5f6-7890-g1h2-123456789abc

Make sure to specify your own key ID for --sse-kms-key-id.

Requiring that future uploads encrypt objects with AWS KMS

After you change encryption, only the objects that are already in the folder are encrypted. Objects added to the folder after you change encryption can be uploaded without encryption. You can use a bucket policy to require that future uploads encrypt objects with AWS KMS.

For example:

{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": true
        }
      }
    }
  ]
}

This bucket policy denies access to s3:PutObject on docexamplebucket/docexamplefolder/* unless the request includes server-side encryption with AWS KMS.


Did this article help?


Do you need billing or technical support?