skip to Main Content

I am trying to enable server side encryption(SSE) for objects in S3.

I went through the AWS S3 documentation and understood that when you configure bucket to enable SSE (in my case, using KMS CMK) under bucket properties, any object uploaded will be encrypted using the selected encryption key at rest. My Job is done here.

But, I am not able to understand why we need to pass SSE headers (–sse-kms-key-id {{kms-key}} –sse=aws:kms) while uploading any object to S3. What difference is this going to make w.r.t enabling SSE on bucket itself.

Why is it preferred to make addition of SSE headers mandatory in the bucket policy when my purpose of SSE is already served just by enabling SSE encryption at bucket level which is a one time configuration under bucket properties.

2

Answers


  1. Chosen as BEST ANSWER

    Thank you Arpit, Gusto and Abraam. Got my answer.


  2. I think you have 2 questions

    why we need to pass SSE headers ?

    I don’t think you need. In the official doc, it says

    • When you upload objects after enabling default encryption:

    If your PUT request headers don’t include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects.

    If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3.

    Which is simply what you said. If you don’t define headers, and have set default encryption for KMS-SSE, it will be used instead of the default KMS-S3.

    Your 2nd question

    Why is it preferred to make addition of SSE headers mandatory in the bucket policy ?

    Because as stated above, default encryption on S3 can be overwritten when passed encryption options in your PUT request arguments; so you might want to deny any other encryption method other than the one you want to use.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search