Amazon Simple Storage Service (Amazon S3)
AWS S3 Advanced Features
Demo S3 Encryption
In this guide, we’ll demonstrate how to secure data in Amazon S3 using three server-side encryption methods:
- SSE-S3 (default S3-managed keys)
- SSE-KMS (AWS-managed)
- SSE-KMS (customer-managed)
Encryption Method | Description | Access Control |
---|---|---|
SSE-S3 | Server-side encryption with S3-managed keys | Any IAM principal with S3 permissions decrypt |
SSE-KMS (AWS-managed) | SSE using an AWS-managed KMS CMK | Requires S3 + KMS usage permissions |
SSE-KMS (customer-managed) | SSE using a customer-created KMS CMK | Fine-grained KMS policy separates duties |
For more details, see the Amazon S3 Encryption Overview and the AWS KMS Documentation.
1. Default SSE-S3 Encryption
By default, any object uploaded to a new S3 bucket is encrypted at rest with SSE-S3. You don’t need to configure anything extra.
Note
If you haven’t changed bucket defaults, SSE-S3 is automatically applied to all uploads.
When uploading via the console, you can explicitly choose Server-side encryption → Amazon S3 key (SSE-S3):
Upload a test file and verify its Encryption property in the object details. SSE-S3 uses keys fully managed by AWS; any user with S3 permissions can decrypt objects.
2. SSE-KMS with the AWS-Managed Key
To add KMS to the mix, override the bucket’s default encryption at upload time:
- Start a new upload in the S3 console.
- In Properties, set Server-side encryption → AWS KMS key (SSE-KMS).
- Select the default AWS-managed CMK for S3.
- Complete your upload.
If the S3-default key doesn’t exist, S3 provisions it automatically. You can browse managed CMKs in the KMS console:
After uploading, inspect your object’s metadata:
And check the AWS-managed CMK list:
The policy for an AWS-managed CMK is fixed and cannot be altered:
{
"Version": "2012-10-17",
"Id": "auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
]
}
]
}
Warning
AWS-managed CMKs can’t restrict decryption separate from S3 access. Any user with S3 permissions can decrypt SSE-KMS objects.
3. Customer-Managed KMS Keys for Granular Control
To separate S3 permissions from decryption rights, create and use your own KMS CMK.
3.1 Create a Customer-Managed CMK
- In the KMS console, go to Customer managed keys → Create key.
- Choose Symmetric and click Next.
- Add an alias, e.g.,
my-key
.
- Specify Key administrative permissions (who can manage the CMK).
- Define Key usage permissions (who can encrypt/decrypt).
- Review and finish. The default key policy looks like:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::841860297733:root"
}
}
]
}
3.2 Encrypt an Object with Your CMK
- Open your S3 bucket and start a new upload.
- Under Override default encryption, choose AWS KMS key → my-key.
- Upload and view the object details:
- Admin (with S3 + KMS rights) can download and decrypt.
- User2 (S3-only) can list and modify metadata but cannot decrypt:
<Error>
<Code>AccessDenied</Code>
<Message>The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.</Message>
<RequestId>45V16V31G01DFAB5</RequestId>
<HostId>1kv(0M+PFX6f0xACL7kpxnmxFkHerBHM2xYJWFT6uBiBkbPqbV6YBUOzVwViTRkbIDhk=</HostId>
</Error>
Users without KMS Decrypt permission can still delete or rename the object:
3.3 Manage Your Customer-Managed CMK
Back in the KMS console, you can edit your CMK policy, enable key rotation, and adjust usage permissions—capabilities not available for AWS-managed CMKs:
4. Make Your CMK the Bucket Default
To enforce your CMK on all future uploads:
- In the S3 console, go to Bucket properties → Default encryption.
- Select AWS KMS key, choose my-key, and save.
- Upload a file without specifying encryption; S3 defaults to
my-key
. - User2 (S3-only) still cannot decrypt:
<Error>
<Code>AccessDenied</Code>
<Message>
The cipherText refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
</Message>
<RequestId>37V63DWBW8NS8FMT</RequestId>
<HostId>
4THW1yNqrLpqxTPMR3ZMBPTiGfQlf19eYGDKu1g1u3F1qPClUs22s1UxYtDADWCRDB=
</HostId>
</Error>
You’ve now mastered S3 encryption using SSE-S3, AWS-managed CMKs, and customer-managed CMKs for robust, granular access controls.
Watch Video
Watch video content
Practice Lab
Practice lab