Setting the default encryption for an existing S3 bucket
As a storage administrator, you can set the default encryption for an existing Amazon S3 bucket so that all objects are encrypted when they are stored in a bucket. You can use Bucket Encryption APIs to support server-side encryption with Amazon S3-managed keys (SSE-S3) or Amazon KMS customer master keys (SSE-KMS).
You can manage default encryption for an existing Amazon S3 bucket using the
PutBucketEncryption API. All files uploaded to this bucket will have this
encryption by defining the default encryption at the bucket level.
Prerequisites
-
A running IBM Storage Ceph
-
Installation of the Ceph Object Gateway.
-
An S3 bucket created.
-
An S3 user created with user access.
-
Access to a Ceph Object Gateway client with the AWS CLI package installed.
Procedure
-
Create a JSON file for the encryption configuration:
Example
[user@client ~]$ vi bucket-encryption.json
-
Add the encryption configuration rules to the file:
Example
{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } -
Set the default encryption for the bucket:
Syntax
aws --endpoint-url=RADOSGW_ENDPOINT_URL:PORT s3api put-bucket-encryption --bucket BUCKET_NAME --server-side-encryption-configuration file://PATH_TO_BUCKET_ENCRYPTION_CONFIGURATION_FILE/BUCKET_ENCRYPTION_CONFIGURATION_FILE.json
Example
[user@client ~]$ aws --endpoint-url=http://host01:80 s3api put-bucket-encryption --bucket testbucket --server-side-encryption-configuration file://bucket-encryption.json
Verification
-
Retrieve the bucket encryption configuration for the bucket:
Syntax
aws --endpoint-url=RADOSGW_ENDPOINT_URL:PORT s3api get-bucket-encryption --bucket BUCKET_NAME
Example
[user@client ~]$ aws --profile ceph --endpoint=http://host01:80 s3api get-bucket-encryption --bucket testbucket { "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } }
get-bucket-encryption command returns
ServerSideEncryptionConfigurationNotFoundError.