Configure Encryption on a S3 Bucket

AWS
  • Create a S3 bucket, with name tw-testbucket-2021abc
  • Attach bucket policy below, this can be generated with help of AWS Policy Generator
{
  "Id": "Policy1627604722484",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1627604720916",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::tw-testbucket-2021abc/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      },
      "Principal": "*"
    }
  ]
}

  • Upload file without encryption enabled

    The upload will failed with Access Denied error

  • Upload file with encryption enabled

    • Go to Server-side encryption settings on Upload page
    • Choose Specify an encryption key
    • Choose AWS Key Management Service key(SSE-KMS) -> AWS managed key (aws/s3)
    • Click Upload, and the upload is successful