Object Storage API, Amazon S3-compatible REST: PutBucketEncryption
Written by
Updated at May 6, 2026
Adds encryption to the bucket. By default, objects added to the bucket are encrypted with the specified KMS key. For more information about bucket encryption, see Encryption in Object Storage.
For more information on getting started with the API and the general request format, see How to use the S3 API.
Request
PUT /{bucket}?encryption HTTP/2
Path parameters
| Parameter | Description |
|---|---|
bucket |
Bucket name. |
Headers
Use only common headers in your requests.
Response
Headers
Responses can only contain common headers.
Response codes
For a list of possible responses, see Responses.
A successful response contains additional data in XML format with the schema described below.
Data schema
<ServerSideEncryptionConfiguration>
<Rule>
<ApplyServerSideEncryptionByDefault>
<KMSMasterKeyID>string</KMSMasterKeyID>
<SSEAlgorithm>string</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
...
</ServerSideEncryptionConfiguration>
| Element | Description |
|---|---|
ApplyServerSideEncryptionByDefault |
Sets default encryption for the object, if no other encryption parameters are specified in the request. Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault. |
KMSMasterKeyID |
KMS key ID. Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault\KMSMasterKeyID. |
Rule |
Server-side encryption policy. The encryption is defined by KMSMasterKeyID and SSEAlgorithm.Path: ServerSideEncryptionConfiguration\Rule. |
ServerSideEncryptionConfiguration |
Default encryption configuration for new objects in the bucket. Path: ServerSideEncryptionConfiguration. |
SSEAlgorithm |
Encryption algorithm Available values: aws:kms.Path: ServerSideEncryptionConfiguration\Rule\ApplyServerSideEncryptionByDefault\SSEAlgorithm. |