S3 Default Encryption override with command line/api call


Regarding S3 default encryption. If you have S3 default encryption enabled with KMS CMK and then specify the header option (SSE-S3) when putting an object in S3. Does it not apply the default S3 policy anymore but only uses the options passed in the header ?

1 Answer
Accepted Answer

S3 doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html

After you enable default encryption for a bucket, the following encryption behavior applies:

There is no change to the encryption of the objects that existed in the bucket before default encryption was enabled. When you upload objects after enabling default encryption: If your PUT request headers don't include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects. If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3. If the PUT succeeds, the response is an HTTP/1.1 200 OK with the encryption information in the response headers. For more information, see PUT Object. If you use the SSE-KMS option for your default encryption configuration, you are subject to the RPS (requests per second) limits of AWS KMS. For more information about AWS KMS limits and how to request a limit increase, see AWS KMS limits.


answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions