Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • All tutorials
    • Getting statistics on object queries with S3 Select
    • Getting website traffic statistics with S3 Select
    • Getting statistics on object queries using Yandex Query
    • Generating a resource-by-resource cost breakdown report using S3 Select
    • Server-side encryption
    • Integrating an L7 load balancer with CDN and Object Storage
    • Blue-green and canary deployment of service versions
    • Analyzing logs in DataLens
    • Mounting buckets to the file system of Yandex Data Processing hosts
    • Using Object Storage in Yandex Data Processing
    • Importing data from Object Storage, processing and exporting to Managed Service for ClickHouse®
    • Mounting a bucket as a disk in Windows
    • Migrating data from Yandex Data Streams using Yandex Data Transfer
    • Using hybrid storage in Yandex Managed Service for ClickHouse®
    • Loading data from Yandex Managed Service for OpenSearch to Yandex Object Storage using Yandex Data Transfer
    • Automatically copying objects from one bucket to another
    • Recognizing audio files in a bucket on a regular basis
    • Training a model in Yandex DataSphere on data from Object Storage
    • Connecting to Object Storage from VPC
    • Migrating data to Yandex Managed Service for PostgreSQL using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for Greenplum® using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for ClickHouse® using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for YDB using Yandex Data Transfer
    • Exchanging data between Yandex Managed Service for ClickHouse® and Yandex Data Processing
    • Uploading data from Yandex Managed Service for YDB using Yandex Data Transfer
    • Hosting a static Gatsby website in Object Storage
    • Migrating a database from Managed Service for PostgreSQL to Object Storage
    • Exchanging data between Yandex Managed Service for ClickHouse® and Yandex Data Processing
    • Importing data from Yandex Managed Service for PostgreSQL to Yandex Data Processing using Sqoop
    • Importing data from Yandex Managed Service for MySQL® to Yandex Data Processing using Sqoop
    • Migrating data from Yandex Object Storage to Yandex Managed Service for MySQL® using Yandex Data Transfer
    • Migrating a database from Yandex Managed Service for MySQL® to Yandex Object Storage
    • Exporting Greenplum® data to a cold storage in Yandex Object Storage
    • Loading data from Yandex Direct to a Yandex Managed Service for ClickHouse® data mart using Yandex Cloud Functions, Yandex Object Storage, and Yandex Data Transfer
    • Migrating data from Elasticsearch to Yandex Managed Service for OpenSearch
    • Uploading Terraform states to Object Storage
    • Locking Terraform states using Managed Service for YDB
    • Visualizing Yandex Query data
    • Publishing game updates
    • VM backups using Hystax Acura
    • Backing up to Object Storage with CloudBerry Desktop Backup
    • Backing up to Object Storage with Duplicati
    • Backing up to Object Storage with Bacula
    • Backing up to Yandex Object Storage with Veeam Backup
    • Backing up to Object Storage with Veritas Backup Exec
    • Managed Service for Kubernetes cluster backups in Object Storage
    • Developing a custom integration in API Gateway
    • URL shortener
    • Storing application runtime logs
    • Developing a skill for Alice and a website with authorization
    • Creating an interactive serverless application using WebSocket
    • Deploying a web application using the Java Servlet API
    • Developing a Telegram bot
    • Replicating logs to Object Storage using Fluent Bit
    • Replicating logs to Object Storage using Data Streams
    • Uploading audit logs to ArcSight SIEM
    • Exporting audit logs to SIEM Splunk systems
    • Creating an MLFlow server for logging experiments and artifacts
    • Operations with data using Yandex Query
    • Federated data queries using Query
    • Recognizing text in image archives using Vision OCR
    • Converting a video to a GIF in Python
    • Automating tasks using Managed Service for Apache Airflow™
    • Processing files with usage details in Yandex Cloud Billing
    • Deploying a web app with JWT authorization in API Gateway and authentication in Firebase
    • Searching for Yandex Cloud events in Yandex Query
    • Searching for Yandex Cloud events in Object Storage
    • Creating an external table from a bucket table using a configuration file
    • Migrating databases from Google BigQuery to Managed Service for ClickHouse®
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Get your cloud ready
  • Required paid resources
  • Create a bucket
  • Create a key
  • Enable encryption
  • Disable encryption
  1. Tutorials
  2. Server-side encryption

Server-side encryption

Written by
Yandex Cloud
Updated at May 7, 2025
  • Get your cloud ready
    • Required paid resources
  • Create a bucket
  • Create a key
  • Enable encryption
  • Disable encryption

In this scenario, you will enable bucket encryption. As a symmetric encryption key, you will use a Yandex Key Management Service key. This key will encrypt all new bucket objects with envelope encryption.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

To enable server-side bucket encryption:

  1. Get your cloud ready.
  2. Create a bucket.
  3. Create a key.
  4. Enable encryption.

If you no longer need to encrypt new bucket objects, disable encryption.

Get your cloud readyGet your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The cost of maintaining a bucket with encryption includes:

  • Fee for storing data in a bucket (see Object Storage pricing).
  • Fee for data operations (see Object Storage pricing).
  • Fee for using KMS keys (see Key Management Service pricing).

Create a bucketCreate a bucket

You can create a new bucket or use an existing one. To create a bucket, run:

Management console
AWS CLI
Terraform
  1. In the management console, select the folder where you want to create a bucket.

  2. From the list of services, select Object Storage.

  3. Click Create bucket.

  4. In the ** Name** field, enter a name for the bucket.

    The name must meet the following requirements:

    • The name must be from 3 to 63 characters long.
    • The name may contain lowercase Latin letters, numbers, hyphens, and periods.
    • The first and last characters must be letters or numbers.
    • The characters to the right and left of the period must be letters or numbers.
    • The name must not look like an IP address, e.g., 10.1.3.9.
  5. Specify the maximum size of the bucket in GB.

  6. In the Object read access, Object listing access, and Read access to settings fields, select Restricted.

  7. Click Create bucket.

  1. If you do not have the AWS CLI yet, install and configure it.

  2. Run this command:

    aws s3 mb s3://<bucket_name> --endpoint-url=https://storage.yandexcloud.net
    

    Result:

    make_bucket: <bucket_name>
    

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Describe the resources in the configuration file. In this scenario, specify the parameters under locals:

    locals {
      cloud_id    = "<cloud_ID>"
      folder_id   = "<folder_ID>"
      oauth       = "<OAuth>"
      zone        = "ru-central1-a"
    
      sa_name     = "new-buckets-account"
      sa_desc     = "Account for managing Object Storage buckets"
      sa_key_desc = "Static key for ${local.sa_name}"
    
      bucket_name = "Bucket name" # Name of the bucket you are creating. If you do not specify a bucket name for the `yandex_storage_bucket` resource, the name will be generated automatically.
    }
    
    terraform {
      required_providers {
        yandex = {
          source = "yandex-cloud/yandex"
        }
      }
    }
    
    provider "yandex" {
      token     = local.oauth
      cloud_id  = local.cloud_id
      folder_id = local.folder_id
      zone      = local.zone
    }
    
    resource "yandex_iam_service_account" "buckets-account" {
      name        = local.sa_name
      description = local.sa_desc
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" {
      folder_id = local.folder_id
      role      = "editor"
      member    = "serviceAccount:${yandex_iam_service_account.buckets-account.id}"
    }
    
    resource "yandex_iam_service_account_static_access_key" "buckets-account-key" {
      service_account_id = "${yandex_iam_service_account.buckets-account.id}"
      description        = local.sa_key_desc
    }
    
    resource "yandex_storage_bucket" "test" {
      bucket     = local.bucket_name
      access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}"
      secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}"
    }
    

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

    terraform plan
    

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm creating the resources.

      After the command is executed, Terraform updates or creates the following resources in the specified folder:

      • new-buckets-account service account.
      • The editor role for the new-buckets-account service account.
      • Static key for the service account.
      • Bucket.

      You can check the new resources using the management console.

Create a keyCreate a key

Create a new key or use an existing one. To create a key:

Management console
Yandex Cloud CLI
Terraform
API
  1. In the management console, select the folder you want to create a key in.

  2. From the list of services, select Key Management Service.

  3. Click Create key.

  4. In the window that opens:

    • In the Name field, specify bucket-key.
    • In the Encryption algorithm field, select AES-256.
    • In the Rotation period, days field, set the rotation period to 7 days.
    • Click Create.

The key is created together with its first version: click the key in the list to open a page with its attributes.

Run this command:

yc kms symmetric-key create \
  --name bucket-key \
  --default-algorithm aes-256 \
  --rotation-period 168h

Where:

  • --name: Key name.

  • --default-algorithm: Encryption algorithm: aes-128, aes-192, or aes-256.

  • --rotation-period: Key rotation period. The value is set in hours, minutes, and seconds and cannot be less than 24 hours, e.g., --rotation-period 27h14m27s.

    To create a key without automatic rotation, do not specify the --rotation-period parameter.

The key is created along with its first version. It is specified in the primary_version field.

  1. Describe the resources in the configuration file. In this scenario, specify the parameters under locals:

    locals {
      cloud_id    = "<cloud_ID>"
      folder_id   = "<folder_ID>"
      oauth       = "<OAuth>"
      zone        = "ru-central1-a"
    
      sa_name     = "new-buckets-account"
      sa_desc     = "Account for managing Object Storage buckets"
      sa_key_desc = "Static key for ${local.sa_name}"
    
      key_name    = "bucket-key" # KMS key name
      key_desc    = "Bucket encryption key"
    
      bucket_name = "Bucket name"
    }
    
    terraform {
      required_providers {
        yandex = {
          source = "yandex-cloud/yandex"
        }
      }
    }
    
    provider "yandex" {
      token     = local.oauth
      cloud_id  = local.cloud_id
      folder_id = local.folder_id
      zone      = local.zone
    }
    
    resource "yandex_iam_service_account" "buckets-account" {
      name        = local.sa_name
      description = local.sa_desc
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" {
      folder_id = local.folder_id
      role      = "editor"
      member    = "serviceAccount:${yandex_iam_service_account.buckets-account.id}"
    }
    
    resource "yandex_iam_service_account_static_access_key" "buckets-account-key" {
      service_account_id = "${yandex_iam_service_account.buckets-account.id}"
      description        = local.sa_key_desc
    }
    
    resource "yandex_kms_symmetric_key" "key-a" {
      name              = local.key_name
      description       = local.key_desc
      default_algorithm = "AES_256"
      rotation_period   = "168h"
    }
    
    resource "yandex_storage_bucket" "test" {
      bucket     = local.bucket_name
      access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}"
      secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}"
    }
    
  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

      If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm creating the resources.

      After the command is executed, Terraform updates or creates the following resources in the specified folder:

      • new-buckets-account service account.
      • The editor role for the new-buckets-account service account.
      • Static key for the service account.
      • KMS key named bucket-key.
      • Bucket.

      You can check the new resources using the management console.

Use the create method for the SymmetricKey resource.

Enable encryptionEnable encryption

To enable bucket encryption with a KMS key:

Management console
AWS CLI
Terraform
  1. In the management console, select the folder the bucket is in.
  2. From the list of services, select Object Storage.
  3. Select the previously created bucket.
  4. In the left-hand panel, select Security.
  5. Open the Encryption tab.
  6. In the KMS Key field, select bucket-key.
  7. Click Save.

Run this command:

aws s3api put-bucket-encryption \
  --bucket <bucket_name> \
  --endpoint-url=https://storage.yandexcloud.net \
  --server-side-encryption-configuration '{
  "Rules": [
    {
    "ApplyServerSideEncryptionByDefault": {
      "SSEAlgorithm": "aws:kms",
      "KMSMasterKeyID": "<KMS_key_ID>"
    },
    "BucketKeyEnabled": true
  }
  ]
}'
  1. Describe the resources in the configuration file. In this scenario, specify the parameters under locals:

    locals {
      cloud_id    = "<cloud_ID>"
      folder_id   = "<folder_ID>"
      oauth       = "<OAuth>"
      zone        = "ru-central1-a"
    
      sa_name     = "new-buckets-account"
      sa_desc     = "Account for managing Object Storage buckets"
      sa_key_desc = "Static key for ${local.sa_name}"
    
      key_name    = "bucket-key" # KMS key name
      key_desc    = "Bucket encryption key"
    
      bucket_name = "Bucket name" # Bucket name.
    }
    
    terraform {
      required_providers {
        yandex = {
          source = "yandex-cloud/yandex"
        }
      }
    }
    
    provider "yandex" {
      token     = local.oauth
      cloud_id  = local.cloud_id
      folder_id = local.folder_id
      zone      = local.zone
    }
    
    resource "yandex_iam_service_account" "buckets-account" {
      name        = local.sa_name
      description = local.sa_desc
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" {
      folder_id = local.folder_id
      role      = "editor"
      member    = "serviceAccount:${yandex_iam_service_account.buckets-account.id}"
    }
    
    resource "yandex_iam_service_account_static_access_key" "buckets-account-key" {
      service_account_id = "${yandex_iam_service_account.buckets-account.id}"
      description        = local.sa_key_desc
    }
    
    resource "yandex_kms_symmetric_key" "key-a" {
      name              = local.key_name
      description       = local.key_desc
      default_algorithm = "AES_256"
      rotation_period   = "168h"
    }
    
    resource "yandex_storage_bucket" "test" {
      bucket     = local.bucket_name
      access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}"
      secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}"
      server_side_encryption_configuration {
        rule {
        apply_server_side_encryption_by_default {
          kms_master_key_id = yandex_kms_symmetric_key.key-a.id
          sse_algorithm     = "aws:kms"
        }
      }
      }
    }
    
  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

      If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm creating the resources.

      After the command is executed, Terraform updates or creates the following resources in the specified folder:

      • new-buckets-account service account.
      • The editor role for the new-buckets-account service account.
      • Static key for the service account.
      • KMS key named bucket-key.
      • Bucket with encryption.

      You can check the new resources using the management console.

Now all new objects in the bucket will be encrypted with bucket-key.

Disable encryptionDisable encryption

If you no longer need to encrypt new bucket objects, disable encryption.

Alert

After you disable bucket encryption, previously uploaded objects will be stored in encrypted form. Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as deleting all data encrypted with that key.

Management console
AWS CLI
Terraform
  1. In the management console, select the folder the bucket is in.
  2. From the list of services, select Object Storage.
  3. Select the previously created bucket.
  4. In the left-hand panel, select Security.
  5. Open the Encryption tab.
  6. In the KMS Key field, select Not selected.
  7. Click Save.

Run this command:

aws s3api delete-bucket-encryption \
  --bucket <bucket_name> \
  --endpoint-url=https://storage.yandexcloud.net
  1. Describe the resources in the configuration file. To disable encryption, delete or comment out the server_side_encryption_configuration section for the yandex_storage_bucket resource:

    locals {
      cloud_id    = "<cloud_ID>"
      folder_id   = "<folder_ID>"
      oauth       = "<OAuth>"
      zone        = "ru-central1-a"
    
      sa_name     = "new-buckets-account"
      sa_desc     = "Account for managing Object Storage buckets"
      sa_key_desc = "Static key for ${local.sa_name}"
    
      key_name    = "bucket-key"
      key_desc    = "Bucket encryption key"
    
      bucket_name = "Bucket name"
    }
    
    terraform {
      required_providers {
        yandex = {
          source = "yandex-cloud/yandex"
        }
      }
    }
    
    provider "yandex" {
      token     = local.oauth
      cloud_id  = local.cloud_id
      folder_id = local.folder_id
      zone      = local.zone
    }
    
    resource "yandex_iam_service_account" "buckets-account" {
      name        = local.sa_name
      description = local.sa_desc
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" {
      folder_id = local.folder_id
      role      = "editor"
      member    = "serviceAccount:${yandex_iam_service_account.buckets-account.id}"
    }
    
    resource "yandex_iam_service_account_static_access_key" "buckets-account-key" {
      service_account_id = "${yandex_iam_service_account.buckets-account.id}"
      description        = local.sa_key_desc
    }
    
    resource "yandex_kms_symmetric_key" "key-a" {
      name              = local.key_name
      description       = local.key_desc
      default_algorithm = "AES_256"
      rotation_period   = "168h"
    }
    
    resource "yandex_storage_bucket" "test" {
      bucket     = local.bucket_name
      access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}"
      secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}"
      /*
        server_side_encryption_configuration {
          rule {
          apply_server_side_encryption_by_default {
            kms_master_key_id = yandex_kms_symmetric_key.key-a.id
            sse_algorithm     = "aws:kms"
          }
        }
        }
      */
    }
    
  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

      If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm that you want to update the resources.

      After the command is executed, Terraform updates the following resources in the specified folder:

      • new-buckets-account service account.
      • The editor role for the new-buckets-account service account.
      • Static key for the service account.
      • KMS key named bucket-key.
      • Bucket.

This will disable bucket encryption in the specified folder. You can check the resource update and configuration using the management console.

Was the article helpful?

Previous
Generating a resource-by-resource cost breakdown report using S3 Select
Next
Integrating an L7 load balancer with CDN and Object Storage
© 2025 Direct Cursus Technology L.L.C.