How to enable Amazon S3 default bucket encryption using S3 Console

Amazon S3

In this guide, I will be showing you how to enable default encryption on an Amazon S3 bucket so that all the objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) keys. But our focus in this guide will be on AWS KMS. For other related AWS topics you can read: How to manage cost with AWS Budgets, Creating IAM Users, Adding MFA and Policies on AWS, Hosting Static Website and Versioning on AWS S3, How to Deploy Dynamic Website to AWS EC2, How to Deploy MVC Application to AWS EC2 Using RDP Connection and Web Deploy.

A step-by-step process on how to create an S3 bucket is covered in this guide: How to deploy an Angular App to AWS S3

Furthermore, Log in to the AWS Management Console and open the Amazon S3 console:

default bucket encryption
Login Page
  • However, from the Buckets list select the name of the bucket that you want to encrypt.
Bucket List
  • Choose Properties
S3 Console
Bucket Overview
  • Scroll down to Default encryption, click on Edit
Amazon S3
Default Encryption
  • Moreover, In order to enable server-side encryption, select Enable
  • In addition, To enable server-side encryption, you can either choose the Amazon S3 key (SSE-S3) or the AWS Key Management Service key (SSE-KMS) under the Encryption key type. But in this guide, we will use the SSE-KMS Encryption key type.
S3 Console
AWS Key Management Service Key

Nonetheless, Under the AWS KMS key section, you can select any of the following:

  • AWS managed key (aws/s3)
  • Choose from your KMS root keys.
  • Enter KMS root key ARN.

Consequently, In this guide, we will select Choose from your AWS KMS Keys, and we will Create Key


Similarly, Click on the Create key button and select Symmetric, you can leave the Advanced options as it is.

Configuring the Key

Nevertheless, Enter the Alias and other sections are optional.

Adding Alias

Therefore, In the next section, you will need to define key administrative permissions like key administrators, and also you will need to define the critical usage permissions.

Key Configuration

Additionally, The key policy will be created by the time you click on the Finish button.

Key Policy

Key created below

Customer Managed Keys

Furthermore, Now select the key you created and under Bucket Key, choose Enable.


Click Save Changes to Encrypt your S3 Bucket.

Bucket Overview

I hope you found this blog post on How to enable Amazon S3 default bucket encryption using S3 Console very interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x