What happens to new or existing objects when I enable default encryption with AWS KMS on my Amazon S3 bucket?

Resolution

After you enable default AWS KMS encryption on your bucket, Amazon S3 applies the default encryption only to new objects that you upload without any specified encryption settings.

Default bucket encryption doesn't change the encryption settings of existing objects. For example, if you enable server-side encryption with AWS KMS (SSE-KMS) on the bucket, then any unencrypted objects already in the bucket remain unencrypted. Additionally, any objects already encrypted using SSE-KMS, SSE-S3, or SSE-C remain encrypted their respective key.

Default bucket encryption also doesn't override the encryption settings specified in the upload of a new object. For example, if you specify AES256 encryption in your PutObject request to a bucket with default SSE-KMS encryption, then the object maintains AES256 encryption (SSE-S3).

If your bucket has default encryption but you're seeing newly uploaded objects with different encryption settings, then check AWS CloudTrail data event logs. Logs for PUT, POST, and InitiateMultipartUpload API requests have an SSEApplied field. If the value of this field is Default_SSE_S3 or Default_SSE_KMS, then the object has default encryption. If the value is SSE_S3 or SSE_KMS, then the object has the encryption settings specified in the PutObject request.

Note: To require that objects are uploaded with SSE-KMS, you can use a bucket policy, access point policy, or AWS Organizations service control policy.