By using AWS re:Post, you agree to the Terms of Use

sse-s3 encryption default permission


I was wondering what the default s3 sse-s3 encryption keys permission ? For kms default AWS managed keys kms/s3 it's crystal clear but for sse-s3 it's just vague . Is it allow encryption/decryption in behalf of other AWS account? Thanks in advance

2 Answers
Accepted Answer

I tried to get an sse-s3 encrypted file over public and it works so yeah I guess it provide encryption/decryption for anyone has access to the objects

answered 8 months ago


With SSE-S3 the encryption is managed by S3 service. When you upload an object with SSE-S3, the S3 service will encrypt the object with AES-256 cipher before it is stored on the disks. The S3 service manages the keys. Please check out below for details & examples:

One can optionally set this at bucket level by going to Bucket -> Properties -> Edit Encryption in AWS Console.

answered 8 months ago
  • I know and I read the doc but my question specifically is: Do see-s3 encrypt/decrypt objects data in behalf of other accounts if I grant those accounts the basic bucket permission. Because kms AWS managed keys do only accept encrypt/decrypt for service principal in behalf of the same account users. I read the whole doc but not clear like many other things I did submit feedback for and unfortunately can not try it in free tier I am not willing to create another account so I can not try it through handson Thanks alot for your answer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions