Protect files in S3 with server side encryption

Server side encryption for file uploads to S3 is not new and supported since version 4.2. Still we want to give short summary how to ensure all files uploaded to a bucket are protected.

  • Create a new bucket in S3 choosing File → New Folder… in Cyberduck. Refer to Create a bucket.
  • Enforce encryption by applying a bucket policy using the AWS S3 console. Choose Edit Bucket Policy and enter the policy
    {
     "Version": "2012-10-17",
     "Id": "PutObjPolicy",
     "Statement": [
     {
       "Sid": "DenyUnEncryptedObjectUploads",
       "Effect": "Deny",
       "Principal": "*",
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::bucketname/*",
       "Condition": {
         "StringNotEquals": {
           "s3:x-amz-server-side-encryption": "AES256"
         }
       }
      }
    ]
    }
  • In Preferences… → S3 → Encryption choose AES256 as the default.

You can verify an object is encrypted in S3, by choosing ⌘-I for a object and choose the S3 tab. Ensure the Server Side Encryption checkbox is selected.
S3 Server Side Encryption

References