# s3-default-encryption-kms
<a name="s3-default-encryption-kms"></a>

Checks if the S3 buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is NON\$1COMPLIANT if the S3 bucket is not encrypted with an AWS KMS key. 



**Identifier:** S3\$1DEFAULT\$1ENCRYPTION\$1KMS

**Resource Types:** AWS::S3::Bucket, AWS::KMS::Key

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon S3 Buckets.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1407c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).