Posted On: Jan 5, 2023

Amazon S3 now automatically applies S3 managed server-side encryption (SSE-S3) as a base level of encryption to all new objects added to S3, at no additional cost and with no impact on performance. SSE-S3 uses 256-bit Advanced Encryption Standard and is already applied to trillions of objects. This new base level of encryption helps customers meet their encryption requirements, with no changes to applications. Additionally, customers can still choose to encrypt their objects using customer-provided encryption keys (SSE-C), Amazon Key Management Service keys (SSE-KMS), or a client library such as the Amazon S3 Encryption Client.  

Since 2017, customers have used the S3 Default Encryption feature to apply a base level of encryption for every object added to their buckets. S3 Default Encryption is a simple bucket-level setting that customers use to establish a default level of encryption. With this update, Amazon S3 will apply SSE-S3 as the Default Encryption setting for all new buckets and for existing buckets not using any encryption configuration. Existing buckets currently using S3 Default Encryption will not change. Moreover, Default Encryption can no longer be removed from any S3 bucket to disable automatic encryption on new objects. As a result, all new data uploaded to S3 will be encrypted at rest.

The automatic encryption status for new object uploads and S3 Default Encryption configuration is available in Amazon CloudTrail logs. Over the next few weeks, this status will begin to show in the S3 Management Console, S3 Inventory, S3 Storage Lens, and as an additional S3 API header in the Amazon CLI and Amazon SDK. We will update the S3 documentation once this additional information is available in all Amazon Web Services Regions. For detailed information on the process and expected experience, see the Amazon S3 Encryption documentation.