How Do I Access or Download an Encrypted Object?

Encrypting an Object

Method 1: Enable server-side encryption when you create a bucket. Then, all types of objects uploaded to the bucket will be automatically encrypted with the KMS key you specified during bucket creation.

Method 2: Specify a KMS key for encryption when you upload an object.

Accessing or Downloading an Encrypted Object

When an object is encrypted with SSE-KMS, it cannot be accessed directly, even if it has a public read policy (which grants anonymous users access to an object) configured. To access or download an encrypted object, use either of the following methods:

Access the encrypted object as a user with the KMS CMKFullAccess permission. The region where your KMS CMKFullAccess permission applies must be the one where the bucket storing the object is located. For details about how to grant users the KMS CMKFullAccess permission, see Assigning Permissions to an IAM User.

Parent topic: Server-Side Encryption

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel