I am trying to enable server side encryption(SSE) for objects in S3.
I went through the AWS S3 documentation and understood that when you configure bucket to enable SSE (in my case, using KMS CMK) under bucket properties, any object uploaded will be encrypted using the selected encryption key at rest. My Job is done here.
But, I am not able to understand why we need to pass SSE headers (–sse-kms-key-id {{kms-key}} –sse=aws:kms) while uploading any object to S3. What difference is this going to make w.r.t enabling SSE on bucket itself.
Why is it preferred to make addition of SSE headers mandatory in the bucket policy when my purpose of SSE is already served just by enabling SSE encryption at bucket level which is a one time configuration under bucket properties.
2
Answers
Thank you Arpit, Gusto and Abraam. Got my answer.
I think you have 2 questions
I don’t think you need. In the official doc, it says
Which is simply what you said. If you don’t define headers, and have set default encryption for KMS-SSE, it will be used instead of the default KMS-S3.
Your 2nd question
Because as stated above, default encryption on S3 can be overwritten when passed encryption options in your PUT request arguments; so you might want to deny any other encryption method other than the one you want to use.