Configure Encryption on a S3 Bucket

  • Create a S3 bucket, with name tw-testbucket-2021abc
  • Attach bucket policy below, this can be generated with help of AWS Policy Generator
  "Id": "Policy1627604722484",
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Stmt1627604720916",
      "Action": [
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::tw-testbucket-2021abc/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
      "Principal": "*"

  • Upload file without encryption enabled

    The upload will failed with Access Denied error

  • Upload file with encryption enabled

    • Go to Server-side encryption settings on Upload page
    • Choose Specify an encryption key
    • Choose AWS Key Management Service key(SSE-KMS) -> AWS managed key (aws/s3)
    • Click Upload, and the upload is successful