s3 supports encryption at rest, but there isn't an option in s3 that automatically encrypts all files that are uploaded, so you need to specify encryption manually when you upload them.
I normally upload files to s3 from the CLI like so using the --sse AES256
flag:
aws s3 cp ./your-local-file.txt \
s3://<your-bucket>/<path>/your-local-file.txt \
--sse AES256 --profile your-iam-profile --region <aws_region>
However, if you're using the AWS console, there is still hope. After selecting the files you want to upload, make sure you click the "Set Details" button. There will be a small checkbox that appears that allows you to set server-side encryption for what you upload. Very easy to forget if you're in a rush or tired.
Even though manually having to set the --sse AES256
flag might be easy to forget, especially with a distributed team,
you can enforce non-encrypted uploads to fail on a bucket with a bucket-wide policy as described in this this
AWS article.
A version of the policy is copied below for your convenience.
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<your-bucket>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<your-bucket>/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": true
}
}
}
]
}
I would argue, that all of the above only achieve encryption at rest. Server Side Encryption cannot provide encryption of the data in transit, since it is encrypted when it arrives at the server.