From the Mailbag: Protecting S3 Data with Encryption


“From the Mailbag” gives us at AWS w/ .NET the opportunity to answer questions from our users. Got a question for us? Ask us here.

Photo by Joanna Kosinska on Unsplash

Question: Our company has an S3 bucket where multiple companies upload CSV files for later processing. Is it possible to require that all files in that bucket be encrypted?

Response: S3 has a lot of flexibility when it comes to encryption. S3 objects can be encrypted client side and then uploaded or objects can be encrypted server side using KMS keys, customer provided keys or S3 keys. In order to enforce that all S3 objects in a bucket are encrypted, use a bucket policy requiring that all object uploads must provide the x-amz-server-side-encryption header. More on the x-amz-server-side-encryption header can be found here: Using Server Side Encryption.

UPDATE: as of January 5, 2023, all objects uploaded to S3 are encrypted by default using S3 managed keys.

Checkout our other articles focused on S3 and AWS Storage.

Got a question for us? Ask us here.

%d bloggers like this: