Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket


Data in transit is data being accessed over the network, and therefore could be intercepted by someone else on the network or with access to the physical media the network uses. On an ethernet network, that could be someone with the ability to tap a cable, configure a switch to mirror traffic, or fool your client or a router into directing traffic to them before it moves on to the final destination. Server-side encryption (SSE) is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.

Amazon S3 offers 3 options of encrypting data at rest, depending on how you choose to manage the encryption keys:

  • Use SSE with Amazon S3-Managed Keys
  • Use SSE with AWS KMS-Managed Keys
  • Use SSE with Customer-Provided Keys

At the time of object creation—that is, when you are uploading a new object or making a copy of an existing object—you can specify if you want Amazon S3 to encrypt your data by adding the “x-amz-server-side encryptionheader” to the request. Set the value of the header to the encryption algorithm AES256 that Amazon S3 supports. Amazon S3 confirms that your object is stored using server-side encryption by returning the response header “x-amz-server-side-encryption”.
No matter which of the three options you choose, you can create and attach a S3 bucket policy, that will deny any object creation S3 API (PUT Object, PUT Object – Copy, POST Object, Initiate Multipart Upload), if the request does not include the “x-amz-server-side-encryption” header requesting server-side encryption, and if the request was not done using SSLTLS.


Perform the following to ensure all objects placed in S3 are encrypted in transit and at rest:

  • Create a new file, add the following to it, and save it as policy.json :
    “Version”: “2012-10-17”,
    “Id”: “PutObjPolicy”,
    “Statement”: {
    “Sid”: “DenyUnEncryptedObjectUploads”,
    “Effect”: “Deny”,
    “Principal”: “*”,
    “Action”: “s3:PutObject”,
    “Resource”: “arn:aws:s3:::<s3_bucket_name>/*”,
    “Condition”: {
    “Null”: {
    “s3:x-amz-server-side-encryption”: “true”
    “Bool”: {
    “aws:SecureTransport”: “false”
  • Attach the above bucket policy to each S3 bucket:
    aws s3api put-bucket-policy –bucket <s3_bucket_name> –policy file://policy.json









We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!