Mandating Encryption for an S3 Bucket
To mandate that all data uploaded to a bucket is encrypted, it is possible to set a bucket policy declaring that clients must provide encryption information with all data uploaded.
Mandating encryption across a bucket offers significant benefits:
It guarantees that all clients uploading data have encryption enabled; there is no need (or indeed, easy mechanism) to test this within a client.
It guarantees that the same encryption mechanism is used by all clients.
If applied to an empty bucket, it guarantees that all data in the bucket is encrypted.
We recommend selecting an encryption policy for a bucket when the bucket is created, and setting it in the bucket policy. This stops misconfigured clients from unintentionally uploading unencrypted data.
Note
Mandating an encryption mechanism on newly uploaded data does not encrypt existing data; existing data will retain whatever encryption (if any) applied at the time of creation.
Here is a policy to mandate SSE-S3/AES265 encryption on all data uploaded to a bucket. This covers uploads as well as the copy operations which take place when file/directory rename operations are mimicked.
{ "Version": "2012-10-17", "Id": "EncryptionPolicy", "Statement": [ { "Sid": "RequireEncryptionHeaderOnPut", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::BUCKET/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": true } } }, { "Sid": "RequireAESEncryptionOnPut", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::BUCKET/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } } ] }
To use SSE-KMS, a different restriction must be defined:
{ "Version": "2012-10-17", "Id": "EncryptionPolicy", "Statement": [ { "Sid": "RequireEncryptionHeaderOnPut", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::BUCKET/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": true } } }, { "Sid": "RequireKMSEncryptionOnPut", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::BUCKET/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "SSE-KMS" } } } ] }
To use one of these policies:
Replace
BUCKET
with the specific name of the bucket being secured.Locate the bucket in the AWS console S3 section.
Select the "Permissions" tab.
Select the "Bucket Policy" tab in the permissions section.
Paste the edited policy into the editor.
Save the policy.