Accessing Cloud DataPDF version

Encrypting an S3 Bucket with Amazon S3 Default Encryption

To guarantee that all data uploaded to a bucket is encrypted, it is possible to set a default encryption option for a bucket in the AWS management console.

For more information, see Amazon S3 Default Encryption for S3 Buckets.

  • This does not encrypt any data already stored in the bucket.
  • S3A clients can still be configured to use a different encryption option if desired; this is the default value to use if no other policy was set.

A default encryption across a bucket offers significant benefits:

  • It guarantees that all clients uploading data have encryption enabled.
  • It guarantees that when a file is renamed, it will be re-encrypted, even if the client does not explicitly request encryption.
  • If applied to an empty bucket, it guarantees that all future uploaded data in the bucket is encrypted.

We recommend selecting an encryption policy for a bucket when the bucket is created, and setting it in the bucket policy. This stops misconfigured clients from unintentionally uploading unencrypted data, or decrypting data when renaming files.

We want your opinion

How can we improve this page?

What kind of feedback do you have?