Class: Aws::S3::Types::ServerSideEncryptionByDefault

Inherits:
Struct
  • Object
show all
Includes:
Aws::Structure
Defined in:
lib/aws-sdk-s3/types.rb

Overview

Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn’t specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption].

<note markdown=“1”> * **General purpose buckets** - If you don’t specify a customer

managed key at configuration, Amazon S3 automatically creates an
Amazon Web Services KMS key (`aws/s3`) in your Amazon Web Services
account the first time that you add an object encrypted with SSE-KMS
to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
  • **Directory buckets** - Your SSE-KMS configuration can only support 1 [customer managed key] per directory bucket for the lifetime of the bucket. The [Amazon Web Services managed key] (‘aws/s3`) isn’t supported.

  • **Directory buckets** - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.

</note>

[1]: docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html [2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk [3]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk

Constant Summary collapse

SENSITIVE =
[:kms_master_key_id]

Instance Attribute Summary collapse

Instance Attribute Details

#kms_master_key_idString

Amazon Web Services Key Management Service (KMS) customer managed key ID to use for the default encryption.

<note markdown=“1”> * **General purpose buckets** - This parameter is allowed if and

only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse`.
  • **Directory buckets** - This parameter is allowed if and only if ‘SSEAlgorithm` is set to `aws:kms`.

</note>

You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.

  • Key ID: ‘1234abcd-12ab-34cd-56ef-1234567890ab`

  • Key ARN: ‘arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`

  • Key Alias: ‘alias/alias-name`

If you are using encryption with cross-account or Amazon Web Services service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations].

<note markdown=“1”> * **General purpose buckets** - If you’re specifying a customer

managed KMS key, we recommend using a fully qualified KMS key ARN.
If you use a KMS key alias instead, then KMS resolves the key
within the requester’s account. This behavior can result in data
that's encrypted with a KMS key that belongs to the requester,
and not the bucket owner. Also, if you use a key ID, you can run
into a LogDestination undeliverable error when creating a VPC flow
log.
  • **Directory buckets** - When you specify an [KMS customer managed key] for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn’t supported.

</note>

Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in Amazon Web Services KMS] in the *Amazon Web Services Key Management Service Developer Guide*.

[1]: docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy [2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk [3]: docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html

Returns:

  • (String)


17098
17099
17100
17101
17102
17103
# File 'lib/aws-sdk-s3/types.rb', line 17098

class ServerSideEncryptionByDefault < Struct.new(
  :sse_algorithm,
  :kms_master_key_id)
  SENSITIVE = [:kms_master_key_id]
  include Aws::Structure
end

#sse_algorithmString

Server-side encryption algorithm to use for the default encryption.

<note markdown=“1”> For directory buckets, there are only two supported values for server-side encryption: ‘AES256` and `aws:kms`.

</note>

Returns:

  • (String)


17098
17099
17100
17101
17102
17103
# File 'lib/aws-sdk-s3/types.rb', line 17098

class ServerSideEncryptionByDefault < Struct.new(
  :sse_algorithm,
  :kms_master_key_id)
  SENSITIVE = [:kms_master_key_id]
  include Aws::Structure
end