Amazon S3, a highly-scalable, high-performance object storage service, is now automatically applying server-side encryption (SSE-S3) to all new objects added to S3. This new default encryption will be applied at no additional cost to customers and will have no impact on performance. The SSE-S3 encryption uses a 256-bit Advanced Encryption Standard (AES) and has been configured for trillions of objects by customers. This new default encryption feature helps customers meet their encryption requirements without making any changes to their applications.
Customers can still choose to use customer-provided encryption keys (SSE-C) or AWS Key Management Service keys (SSE-KMS) if they have specific requirements. The S3 Default Encryption feature, which is an optional bucket-level setting for establishing a default level of encryption, will now automatically use SSE-S3 for all new and existing buckets without customer encryption settings.
Existing buckets that are currently using S3 Default Encryption configuration will not be affected by this change. Customers can continue to update the Default Encryption configuration but can no longer remove this setting from any S3 bucket to disable automatic encryption on new objects. As a result, all new data uploaded to S3 will be encrypted at rest.
The automatic encryption status for new object uploads and S3 Default Encryption configuration can be found in AWS CloudTrail logs. Over the next few weeks, this status will begin to show in the S3 management console, S3 Inventory, S3 Storage Lens, and as an additional S3 API header in the AWS CLI and AWS SDK. Amazon S3 will update the documentation once this additional information is available in all AWS Regions.
This update is available in all AWS Regions, including the AWS GovCloud (US) Regions and AWS China Regions. This means that customers using S3 in these regions will also benefit from the new default encryption feature.
For detailed information on the expected experience, customers can refer to the AWS News Blog post for this new base level of encryption or visit the Amazon S3 encryption documentation. This change is a big step forward in terms of security and data protection for S3 customers, and it will ensure that all new data added to S3 is automatically encrypted at rest. This feature will help customers to meet their compliance requirements and give them peace of mind that their data is secure.