Encrypting an S3 Bucket with Amazon S3 Default Encryption

To guarantee that all data uploaded to a bucket is encrypted, it is possible to set a default encryption option for a bucket in the AWS management console.

For more information, see Amazon S3 Default Encryption for S3 Buckets.

• This does not encrypt any data already stored in the bucket.
• S3A clients can still be configured to use a different encryption option if desired; this is the default value to use if no other policy was set.

A default encryption across a bucket offers significant benefits:

• It guarantees that all clients uploading data have encryption enabled.
• It guarantees that when a file is renamed, it will be re-encrypted, even if the client does not explicitly request encryption.
• If applied to an empty bucket, it guarantees that all future uploaded data in the bucket is encrypted.

We recommend selecting an encryption policy for a bucket when the bucket is created, and setting it in the bucket policy. This stops misconfigured clients from unintentionally uploading unencrypted data, or decrypting data when renaming files.