AWS::S3Express::DirectoryBucket ServerSideEncryptionRule

Specifies the default server-side encryption configuration.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "BucketKeyEnabled" : Boolean,
  "ServerSideEncryptionByDefault" : ServerSideEncryptionByDefault
}

YAML


  BucketKeyEnabled: Boolean
  ServerSideEncryptionByDefault: 
    ServerSideEncryptionByDefault

Properties

BucketKeyEnabled

Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. S3 Bucket Keys are always enabled for GET and PUT operations on a directory bucket and can’t be disabled. It's only allowed to set the BucketKeyEnabled element to true.

S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, through CopyObject, UploadPartCopy, the Copy operation in Batch Operations, or the import jobs. In this case, Amazon S3 makes a call to AWS KMS every time a copy request is made for a KMS-encrypted object.

For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

Required: No

Type: Boolean

Update requires: No interruption

ServerSideEncryptionByDefault

Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.

Required: No

Type: ServerSideEncryptionByDefault

Update requires: No interruption

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ServerSideEncryptionByDefault