How can I encrypt a specific folder in my Amazon S3 bucket using AWS KMS?

Last updated: 2019-06-20

I want to encrypt a specific folder in my Amazon Simple Storage Service (Amazon S3) bucket with an AWS Key Management Service (AWS KMS) key. How can I do that? 

Resolution

Encrypting a folder using the Amazon S3 console

  1. Open the Amazon S3 console.
  2. Navigate to the folder that you want to encrypt.
  3. Select the folder, and then choose Actions.
  4. Choose Change encryption.
  5. For Change encryption, select AWS-KMS.
  6. For Select a key, select the AWS KMS key that you want to encrypt the folder with.
    Note: The key named aws/s3 is a default key managed by AWS KMS. You can encrypt the folder with either the default key or a custom key.
  7. Choose Save.

Encrypting a folder using the AWS Command Line Interface (AWS CLI)

Note: You can't change the encryption of an existing folder using an AWS CLI command. Instead, you can run an AWS CLI command that copies the folder over itself with AWS KMS encryption enabled.

To encrypt the files using the default AWS KMS key (aws/s3), run this command to copy the folder over itself with AWS KMS encryption:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms

To encrypt the files using a custom AWS KMS key, run the following command. Be sure to specify your key's ID as the value for --sse-kms-key-id:

aws s3 cp s3://awsexamplebucket/abc s3://awsexamplebucket/abc --recursive --sse aws:kms --sse-kms-key-id a1b2c3d4-e5f6-7890-g1h2-123456789abc

Requiring that future uploads encrypt objects with AWS KMS

After you change encryption, only the objects that are already in the folder are encrypted. Objects added to the folder after you change encryption can be uploaded without encryption. You can use a bucket policy to require that future uploads encrypt objects with AWS KMS.

For example, the following bucket policy denies access to s3:PutObject on awsexamplebucket/awsexamplefolder/* unless the request includes server-side encryption with AWS KMS:

{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/awsexamplefolder/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": true
        }
      }
    }
  ]
}

Did this article help you?

Anything we could improve?


Need more help?