Menu
I want to enable default encryption for the existing buckets (Amazon S3-managed encryption keys (SSE-S3)). The future objects will be encrypted but to encrypt the existing objects either I need to copy them or re-upload them.
I am wondering as I am using SSE-S3 for default encryption on the buckets, do I need to make any IAM changes to allow bucket users for accessing both the existing objects and future objects? Or enabling default encryption (SSE-S3) on buckets does not require any IAM changes as the encryption applied before storing data at rest?
Thank you for your help.
244
If you are using SSE-S3 (Amazon S3-managed encryption keys) then you don't have to do anything. You may just enforce this encryption through bucket policy, as a default SSE-S3 bucket encryption can be overwritten by your users on per-object basis.
But if you were to choose SSE-KMS as default with your own CMK (not AWS one), then your users/inctances/lambdas would need to have permissions to access the CMK as well.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
