How do I upload data to S3 when Encryption at Rest is Enabled?

The AWS S3 service offers server side encryption for secure storage of data. This can be basic service side encryption with keys managed by S3 (SSE), or includes more advanced forms including the use of KMS or client side keys.

Turbot offers the option S3 > Encryption at Rest to allow enforcement of the use of encryption for S3 objects. When enabled, Turbot updates the bucket policy to require the encryption flag to be set for all object uploads to the bucket.

To upload an object to S3 with AWS Server Side Encryption enabled using the AWS command line:

# List the buckets in S3
aws s3 ls

# List the objects in the S3 bucket my-bucket
aws s3 ls s3://my-bucket

# Upload hello.txt to the S3 bucket (unencrypted) my-bucket
# WARNING - Will fail if S3 > Encryption at Rest is enabled for my-bucket
aws s3 cp hello.txt s3://my-bucket

# Upload hello.txt to the S3 bucket using SSE to store the object
aws s3 cp --sse AES256 hello.txt s3://my-bucket

# Check that encryption is enabled for the object
aws s3api head-object --bucket my-bucket --key hello.txt

When using an AWS SDK to upload objects, be sure to set the ServerSideEncryption flag. For example, when using the AWS JS SDK s3.putObject do:

var params = {
  Bucket: 'my-bucket',
  Key: 'hello.txt',
  Body: 'Hello, I am some content for the file.'
  ServerSideEncryption: 'AES256'
}
s3.putObject(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});
Was this article helpful?
0 out of 0 found this helpful