Maintained with ☕️ by
IcePanel logo

Amazon S3 now automatically encrypts all new objects

Share

Services

Amazon S3 now automatically applies S3 managed server-side encryption (SSE-S3) as a base level of encryption to all new objects added to S3, at no additional cost and with no impact on performance. SSE-S3 uses 256-bit Advanced Encryption Standard and has been configured for trillions of objects by customers. This new base level of encryption helps customers meet their encryption requirements, with no changes to applications. Alternatively, customers can still choose to update this default configuration using customer-provided encryption keys (SSE-C) or AWS Key Management Service keys (SSE-KMS). Since 2017, customers have used the S3 Default Encryption feature to apply a base level of encryption for every object added to their buckets. S3 Default Encryption is an optional bucket-level setting that customers use to establish a default level of encryption. With this update, Amazon S3 will automatically apply SSE-S3 as the base level of Default Encryption setting for all new buckets and for existing buckets without any customer configured encryption setting. Existing buckets currently using S3 Default Encryption configuration will not change. Customers can continue to update the Default Encryption configuration but can no longer remove this setting from any S3 bucket to disable automatic encryption on new objects. As a result, all new data uploaded to S3 will be encrypted at rest. The automatic encryption status for new object uploads and S3 Default Encryption configuration is available in AWS CloudTrail logs. Over the next few weeks, this status will begin to show in the S3 management console, S3 Inventory, S3 Storage Lens, and as an additional S3 API header in the AWS CLI and AWS SDK. We will update the S3 documentation once this additional information is available in all AWS Regions. This update is available in all [AWS Regions](/about-aws/global-infrastructure/regional-product-services/), including the [AWS GovCloud (US) Regions](/govcloud-us/) and AWS China Regions. For detailed information on the expected experience, see the [AWS News Blog post](https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default) for this new base level of encryption or visit the Amazon S3 encryption [documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).