AWS::S3Express::DirectoryBucket ServerSideEncryptionByDefault

Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see PutBucketEncryption in the Amazon S3 API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "KMSMasterKeyID" : String,
  "SSEAlgorithm" : String
}

YAML


  KMSMasterKeyID: String
  SSEAlgorithm: String

Properties

KMSMasterKeyID

AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. This parameter is allowed only if SSEAlgorithm is set to aws:kms.

You can specify this parameter with the key ID or the Amazon Resource Name (ARN) of the KMS key. You can’t use the key alias of the KMS key.

Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.

Note

Your SSE-KMS configuration can only support 1 customer managed key per directory bucket for the lifetime of the bucket. AWS managed key (aws/s3) isn't supported. Also, after you specify a customer managed key for SSE-KMS and upload objects with this configuration, you can't override the customer managed key for your SSE-KMS configuration. To use a new customer manager key for your data, we recommend copying your existing objects to a new directory bucket with a new customer managed key.

Important

Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide.

Required: No

Type: String

Update requires: No interruption

SSEAlgorithm

Server-side encryption algorithm to use for the default encryption.

Note

For directory buckets, there are only two supported values for server-side encryption: AES256 and aws:kms.

Required: Yes

Type: String

Allowed values: aws:kms | AES256

Update requires: No interruption

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Rule

ServerSideEncryptionRule