Ensure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in Amazon S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel. Without S3 default encryption, to encrypt all objects stored in a bucket, you must include encryption information (i.e. "x-amz-server-side-encryption" header) with every object storage request, as described by the Server Side Encryption (SSE) conformity rule. Also, to encrypt S3 objects without default encryption, you must set up a bucket policy to deny storage requests that don`t include the encryption information.
To determine if your Amazon S3 buckets have Default Encryption feature enabled, perform the following:
To enable default encryption for your existing Amazon S3 buckets, perform the following: