How to Enable Default Encryption on an S3 Bucket
S3 default bucket encryption makes every upload encrypted at rest automatically, even if the client forgets the SSE header. Here's how to enable SSE-S3 (AES256) or SSE-KMS with one command.
What default encryption does
Default bucket encryption tells S3 to encrypt every object on write, regardless of
whether the upload requested it. Without it, a client that omits the x-amz-server-side-
encryption header stores the object in plaintext - which is exactly what compliance scans
flag. Turning it on closes that gap for all future PUTs.
Enable SSE-S3 (AES256) - the simple default
S3-managed keys, nothing else to set up:
aws s3api put-bucket-encryption \
--bucket customer-data \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}
}]
}'
Or SSE-KMS - when you need key control / audit
Use a KMS key if you need rotation, access policies, or CloudTrail logging of key use:
aws s3api put-bucket-encryption \
--bucket customer-data \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:...:key/abc-123"
},
"BucketKeyEnabled": true
}]
}'
BucketKeyEnabled cuts KMS costs by reducing per-object KMS calls.
Verify
aws s3api get-bucket-encryption --bucket customer-data
A few important notes
- Default encryption only applies to new objects. Existing objects stay as they were - re-upload or run a batch copy to encrypt them.
- It doesn't block plaintext intent - to reject unencrypted uploads outright, add a bucket policy that denies PUTs without the SSE header.
- SSE-S3 vs SSE-KMS: SSE-S3 (AES256) is free and zero-config; SSE-KMS adds key control + audit at a small per-request cost.
Want to try it hands-on? HeyDevJob gives you this exact setup in a live cloud workspace in your browser - edit it, run it, and see it work. Free, nothing to install.
Try it in a workspace →What you'll practice
- Enabling SSE-S3 default encryption with aws s3api
- Choosing SSE-S3 vs SSE-KMS
- Verifying with get-bucket-encryption + denying unencrypted PUTs
FAQ
How do I enable default encryption on an S3 bucket?
Run aws s3api put-bucket-encryption with a rule setting SSEAlgorithm to AES256 (SSE-S3) or aws:kms (SSE-KMS). After that S3 encrypts every new object automatically.
What's the difference between SSE-S3 and SSE-KMS?
SSE-S3 (AES256) uses S3-managed keys - free and zero-config. SSE-KMS uses a KMS key, adding rotation, access policies, and CloudTrail audit of key usage, at a small per-request cost (lower with BucketKeyEnabled).
Does default encryption encrypt existing objects?
No - it only applies to new uploads. Existing objects stay as-is; re-upload them or run a batch copy to encrypt what's already there.
Keep learning
Learn it by doing. Open this in a live cloud workspace, make the change yourself, and keep a record of the work you can share.
Open the workspace →