AWS S3 Default Encryption vs. Bucket Policies

Overview of S3 Default Encryption

• By default, new S3 buckets are encrypted using SSE-S3 (Server-Side Encryption with Amazon S3-managed keys).
• This automatic encryption applies to all new objects stored in new buckets.
• Users can change the default encryption setting to another method such as SSE-KMS (Server-Side Encryption with AWS Key Management Service keys).

Bucket Policies for Enforcing Encryption

• Bucket policies can enforce encryption by denying API calls that do not include the correct encryption headers.
• Policies can specify requirements such as:
  • The use of AWS KMS (SSE-KMS) for encryption.
  • The use of customer-provided encryption keys (SSE-C).

Example Bucket Policy

• A policy might deny a PUT object request if it lacks an AWS KMS encryption header.
• Another policy might reject uploads that do not include a customer-side encryption algorithm (SSE-C).

Policy Evaluation Order

• Bucket policies are evaluated before the default encryption settings are applied.

Key Takeaways

• S3 buckets come with default encryption (SSE-S3), but this can be changed.
• Bucket policies can be used to enforce specific encryption requirements.
• Policies override default encryption settings when they are in conflict.

Conclusion

• Understanding the interplay between default encryption and bucket policies is crucial for securing your S3 buckets.
• You can customize encryption settings to meet your security needs using either default settings or bucket policies.