putBucketEncryption method
Written by
Updated at March 19, 2025
Adds encryption to the bucket. By default, objects added to the bucket are encrypted with the specified KMS key. For more information about bucket encryption, see Encryption in Object Storage.
For more information on getting started with the API and the general request format, see How to use the S3 API.
Request
PUT /{bucket}?encryption HTTP/2
Path parameters
| Parameter | Description |
|---|---|
bucket |
Bucket name. |
Headers
Use only common headers in your requests.
Response
Headers
Responses can only contain common headers.
Response codes
For a list of possible responses, see Responses.
A successful response contains additional data in XML format with the schema described below.
Data schema
<ServerSideEncryptionConfiguration>
<Rule>
<ApplyServerSideEncryptionByDefault>
<KMSMasterKeyID>string</KMSMasterKeyID>
<SSEAlgorithm>string</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
...
</ServerSideEncryptionConfiguration>
| Element | Description |
|---|---|
ApplyServerSideEncryptionByDefault |
Sets default encryption for the object, if other encryption parameters are not specified in the request. Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault. |
KMSMasterKeyID |
KMS key ID. Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault\KMSMasterKeyID. |
Rule |
Server-side encryption policy. The encryption is defined by KMSMasterKeyID and SSEAlgorithm.Path: ServerSideEncryptionConfiguration\Rule. |
ServerSideEncryptionConfiguration |
Default encryption configuration for new objects in the bucket. Path: ServerSideEncryptionConfiguration. |
SSEAlgorithm |
Encryption algorithm that takes the aws:kms value.Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault\SSEAlgorithm. |