AnsweredAssumed Answered

Does the S3 Connector support AES256 Server Side Encryption?

Question asked by chris.c on Aug 9, 2017
Latest reply on Aug 10, 2017 by jason_r_walsh667087

I've been trying to upload files to an S3 bucket where a policy is defined that requires AES256 server side encryption. (this is the AWS bucket policy)

"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SimpleStorageS3Bucket" } , "/*" ] ]},
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"


There doesn't seem to be a way to have the S3 upload operation include the "s3:x-amz-server-side-encryption": "AES256" header in the request to AWS. The "Use Server Side Encryption:" setting appears to toggle the s3:x-amz-server-side-encryption: kms option. I have the "AWS KMS Key ARN/ID:" setting left blank


Is there any support for AES256 server side encryption with the S3 connector? 


The documentation mentions "Amazon S3 uses three different modes of server-side encryption: SSE-S3, SSE-KMS, and SSE-C. If you turned on User Server Side Encryption and leave this field blank, then the connector uses SSE-S3 in which Amazon manages the data key and the master key" ... "Support for SSE-C is not implemented"  


Based on the below paragraph from Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) - Amazon Simple S…   it sounds as though SSE-S3 should result in AES256 as the server side encryption type.

Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.