test
S3

Good question 💪 — encrypting your S3 bucket is a best practice for securing data at rest. Let’s go step-by-step 👇

🧠 Concept

S3 supports Server-Side Encryption (SSE) — this means AWS encrypts your objects after they’re uploaded, and decrypts them when you download them. There are 3 main types:

Encryption TypeKey Managed ByDescription
SSE-S3AWSAWS manages the encryption keys for you (AES-256).
SSE-KMSAWS KMSYou manage the encryption keys through AWS KMS (more control).
SSE-CCustomerYou manage your own keys (less common).

Easiest: SSE-S3 (Managed by AWS)

To enable encryption on a bucket so all objects are automatically encrypted with SSE-S3:

Option 1: Using AWS Console

  1. Go to S3 → Your Bucket → Properties.
  2. Scroll down to Default encryption.
  3. Click Edit.
  4. Choose Enable and select Amazon S3-managed keys (SSE-S3).
  5. Save changes.

More Control: SSE-KMS (Managed by KMS)

Use this if you want to manage the keys or control access with IAM policies.

Option 1: Using AWS Console

  1. Go to S3 → Your Bucket → Properties.
  2. Scroll to Default encryptionEdit.
  3. Select AWS Key Management Service keys (SSE-KMS).
  4. Choose AWS-managed key (aws/s3) or a custom KMS key you created.
  5. Save changes.

Option 2: Using AWS CLI

aws s3api put-bucket-encryption \
  --bucket my-secure-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:ap-south-1:123456789012:key/abcd-1234-efgh-5678"
      }
    }]
  }'

🔒 Optional: Block Unencrypted Uploads

To make sure users can’t upload unencrypted files, add a bucket policy like this:

{
  "Version": "2012-10-17",
  "Id": "S3BucketPolicy",
  "Statement": [
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}

🔸 Replace "my-secure-bucket" with your actual bucket name. 🔸 This ensures all uploads must use encryption (either SSE-S3 or SSE-KMS).

⚙️ Verification

You can verify encryption using:

aws s3api get-bucket-encryption --bucket my-secure-bucket
KarpenterWaf