What happens to new or existing objects when I turn on default encryption with AWS KMS on my Amazon S3 bucket?

2 minute read

I turned on default encryption using AWS Key Management Service (AWS KMS) on my Amazon Simple Storage Service (Amazon S3) bucket. I want to know what happens to the encryption or new and existing objects.


After you turn on default AWS KMS encryption on your bucket, Amazon S3 applies the encryption only to newly uploaded objects with no encryption settings.

Default bucket encryption doesn't change the encryption settings of existing objects. For example, if you turn on server-side encryption with AWS KMS (SSE-KMS) on the bucket, then any unencrypted objects already in the bucket remain unencrypted. Also, any objects already encrypted through SSE-KMS, SSE-S3, or SSE-C remain encrypted in their respective key.

Default bucket encryption also doesn't override the encryption settings that you specify when uploading a new object. For example, if you specify AES256 encryption in your PutObject request to a bucket with default SSE-KMS encryption, then the object maintains AES256 encryption (SSE-S3).

If your bucket has default encryption but you're seeing newly uploaded objects with different encryption settings, then check AWS CloudTrail data event logs. Logs for PUT, POST, and InitiateMultipartUpload API requests have an SSEApplied field. If the value of this field is Default_SSE_S3 or Default_SSE_KMS, then the object has default encryption. If the value is SSE_S3 or SSE_KMS, then the object specifies the encryption settings in the PutObject request.

Note: To require users to upload objects with SSE-KMS, use a bucket policy, access point policy, or AWS Organizations service control policy.

AWS OFFICIALUpdated a year ago