Remediating S3 Bucket Default Encryption

Overview

This tutorial walks through enabling default server-side encryption (SSE-S3 with AES-256) on an S3 bucket that lacks encryption configuration. Since January 2023, AWS automatically encrypts all new S3 objects with SSE-S3, but older buckets or buckets with modified settings may not have explicit default encryption enabled. This tutorial covers verifying the current encryption state and configuring SSE-S3 (AES-256) as the default.

Cost Impact: No additional cost. SSE-S3 (AES-256) encryption is provided at no extra charge by AWS.

Prerequisites

Access to the AWS Console
Appropriate IAM permissions to view and modify S3 bucket encryption settings
The bucket name you want to remediate

Step 1: Verify Current Encryption Settings

Navigate to the S3 bucket's Properties tab to check its current encryption configuration:

https://s3.console.aws.amazon.com/s3/buckets/remediation-demo-encryption-check-148557232314?region=us-east-1&tab=properties

Step 2: Check the Default Encryption Section

Scroll down to the Default encryption section. This shows the bucket's current server-side encryption settings. If encryption is not explicitly configured or shows a non-standard configuration, it needs to be updated.

Step 3: Enable Default Encryption

Click Edit in the Default encryption section to modify the encryption settings.

Step 4: Review Encryption Type Options

On the edit page, you'll see the encryption type options:

Server-side encryption with Amazon S3 managed keys (SSE-S3) — Uses AES-256 encryption managed entirely by AWS. No additional cost.
Server-side encryption with AWS KMS keys (SSE-KMS) — Uses AWS Key Management Service. Provides audit trail via CloudTrail but incurs KMS API costs.

For most use cases, SSE-S3 (AES-256) is sufficient and cost-free.

Step 5: Select SSE-S3

Select Server-side encryption with Amazon S3 managed keys (SSE-S3).

Step 6: Verify Bucket Key Setting

Leave Bucket Key enabled (the default). Bucket Keys reduce KMS costs when using SSE-KMS, and have no effect with SSE-S3 but are fine to leave on.

Step 7: Save Changes

Click Save changes to apply the default encryption configuration.

Step 8: Verify the Change

You should see a success banner confirming the encryption settings were updated. The Default encryption section should now show:

Encryption type: Server-side encryption with Amazon S3 managed keys (SSE-S3)
Bucket Key: Enabled

All new objects uploaded to this bucket will now be encrypted with AES-256 by default.

Alternative Approaches

AWS CLI Method

aws s3api put-bucket-encryption \
  --bucket remediation-demo-encryption-check-148557232314 \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

SSE-KMS

For compliance requirements needing key rotation control or CloudTrail audit logging of key usage, use SSE-KMS with either the AWS managed key (aws/s3) or a customer-managed KMS key.

Note on Existing Objects

Default encryption only applies to new objects. Existing unencrypted objects are not retroactively encrypted — though as of January 2023, AWS applies SSE-S3 to all objects automatically at the service level regardless of bucket settings.

Summary

Immediate savings: No cost — SSE-S3 is free
SSE-KMS alternative cost: $0.03 per 10,000 KMS API requests
Security benefit: Explicit encryption configuration ensures compliance with security policies and audit requirements
Scope: Applies to all new objects uploaded after the change

Overview​

Prerequisites​

Step 1: Verify Current Encryption Settings​

Step 2: Check the Default Encryption Section​

Step 3: Enable Default Encryption​

Step 4: Review Encryption Type Options​

Step 5: Select SSE-S3​

Step 6: Verify Bucket Key Setting​

Step 7: Save Changes​

Step 8: Verify the Change​

Alternative Approaches​

AWS CLI Method​

SSE-KMS​

Note on Existing Objects​

Summary​