Ensure Server Side Encryption is enabled for all buckets


When we interact with sensitive data that is a crucial thing, so always implement server-side encryption in order to protect it from attackers or unauthorized personnel. Amazon S3 encrypts an object before saving it to disk in its data centers and decrypts it when you download the objects.


Perform the following steps to enable server-side encryption :

  1. Sign in to the AWS Management Console.
  2. Click to S3 dashboard at
  3. Select the S3 bucket that you want to configure and click the Properties tab from the dashboard top right menu:
  4. Inside the Properties tab, click Permissions to expand the bucket permissions settings panel.
  5. Click the Edit bucket policy button to edit the bucket policy currently in use. If the selected bucket does not have an access policy defined yet, click Add bucket policy.
  6. In the Bucket Policy Editor dialog box, perform one of the following actions based on your current configuration:
    1. If there is no access policy currently in use, paste the following policy document in the Bucket Policy Editor box, replace the bucket name, i.e. abc-bucket-name, with the name of your own S3 bucket then click Save. This policy will enforce the owner and the users that have access to the bucket to enable Server-Side Encryption for every object uploaded via Management Console or via AWS API:
      1. {  "Version": "2012-10-17",  "Id": "PutObjPolicy",  "Statement": [    {      "Sid": "DenyIncorrectEncryptionHeader",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:PutObject",      "Resource": "arn:aws:s3:::abc-bucket-name/*",      "Condition": {        "StringNotEquals": {          "s3:x-amz-server-side-encryption": "AES256"        }      }    },    {      "Sid": "DenyUnEncryptedObjectUploads",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:PutObject",      "Resource": "arn:aws:s3:::abc-bucket-name/*",      "Condition": {        "Null": {          "s3:x-amz-server-side-encryption": "true"        }      }    }  ]}
    2. If the selected bucket has already an access policy implemented, append the following policy statements to the existing ones available within the Bucket Policy Editor box, as shown in the following example.
      1. {      "Sid": "DenyIncorrectEncryptionHeader",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:PutObject",      "Resource": "arn:aws:s3:::abc-bucket-name/*",      "Condition": {        "StringNotEquals": {          "s3:x-amz-server-side-encryption": "AES256"        }      }    },    {      "Sid": "DenyUnEncryptedObjectUploads",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:PutObject",      "Resource": "arn:aws:s3:::abc-bucket-name/*",      "Condition": {        "Null": {          "s3:x-amz-server-side-encryption": "true"        }      }    
  7. To check the Server-Side Encryption feature implementation, perform the following actions:
    1. Select the SSE-enabled S3 bucket and click the Upload button from the dashboard top menu.
    2. In the Upload – Select Files and Folders dialog box, click Add files to upload a simple text file.
    3. Click Set Details button to set additional details for the object uploaded at the previous step.
    4. On the Set Details page, check Use Server Side Encryption checkbox then click Start Upload to upload the file to your bucket. If your file is uploaded to S3 without returning any errors during the process, the Server-Side Encryption has been successfully enabled.







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!