interface ServerSideEncryptionByDefaultProperty
Language | Type name |
---|---|
![]() | Amazon.CDK.aws_s3express.CfnDirectoryBucket.ServerSideEncryptionByDefaultProperty |
![]() | github.com/aws/aws-cdk-go/awscdk/v2/awss3express#CfnDirectoryBucket_ServerSideEncryptionByDefaultProperty |
![]() | software.amazon.awscdk.services.s3express.CfnDirectoryBucket.ServerSideEncryptionByDefaultProperty |
![]() | aws_cdk.aws_s3express.CfnDirectoryBucket.ServerSideEncryptionByDefaultProperty |
![]() | aws-cdk-lib » aws_s3express » CfnDirectoryBucket » ServerSideEncryptionByDefaultProperty |
Describes the default server-side encryption to apply to new objects in the bucket.
If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see PutBucketEncryption in the Amazon S3 API Reference .
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_s3express as s3express } from 'aws-cdk-lib';
const serverSideEncryptionByDefaultProperty: s3express.CfnDirectoryBucket.ServerSideEncryptionByDefaultProperty = {
sseAlgorithm: 'sseAlgorithm',
// the properties below are optional
kmsMasterKeyId: 'kmsMasterKeyId',
};
Properties
Name | Type | Description |
---|---|---|
sse | string | Server-side encryption algorithm to use for the default encryption. |
kms | string | AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. |
sseAlgorithm
Type:
string
Server-side encryption algorithm to use for the default encryption.
For directory buckets, there are only two supported values for server-side encryption:
AES256
andaws:kms
.
kmsMasterKeyId?
Type:
string
(optional)
AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.
This parameter is allowed only if SSEAlgorithm
is set to aws:kms
.
You can specify this parameter with the key ID or the Amazon Resource Name (ARN) of the KMS key. You can’t use the key alias of the KMS key.
- Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
- Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations .
Your SSE-KMS configuration can only support 1 customer managed key per directory bucket for the lifetime of the bucket. AWS managed key (
aws/s3
) isn't supported. Also, after you specify a customer managed key for SSE-KMS and upload objects with this configuration, you can't override the customer managed key for your SSE-KMS configuration. To use a new customer manager key for your data, we recommend copying your existing objects to a new directory bucket with a new customer managed key. > Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide .