I'm trying to understand the use case for this policy directive "s3:x-amz-server-side-encryption"
as demonstrated in this server side encryption page.
If one can enable transparent default encryption for the whole bucket, why use this policy?
Is it to be used where buckets do not have encryption enabled, and therefore enforcing encryption on specific conditions, like specific prefixes, extensions, etc? In this case some files are encryption, some are not.
When use one, and not the other?
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
It enforces the client to select the encryption algorithm:
aws s3api put-object --body somefile.png --bucket mybucket --server-side-encryption 'AES256'
This is the help text form the AWS CLI for the --server-side-encryption
option:
The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).