Here are instructions for how to enforce AWS server-side encryption on your Amazon backup bucket:

  1. Select a bucket and select “Properties” from the drop-down menu:
    S3_Management_Console
  2. Select “Permissions,” then click “Edit bucket policy”:
    S3_Management_Console
  3. The policy editor will open:
    S3_Management_Console
  4. Enter a policy that will force all uploads to be encrypted. Here is an example of a policy that will force that all cloudHQ uploads to be encrypted (AWS will forbid any non-encyrpted uploads and cloudHQ will follow the rule):
    {
          "Version" : "2012-10-17",
               "Id" : "PutObjPolicy",
        "Statement" : [
             {
                      "Sid" : "DenyIncorrectEncryptionHeader",
                   "Effect" : "Deny",
                "Principal" : "*",
                   "Action" : "s3:PutObject",
                 "Resource" : "arn:aws:s3:::acme-backup-bucket/*",
                "Condition" : {
                    "StringNotEquals" : {
                        "s3:x-amz-server-side-encryption" : "AES256"
                    }
                }
            },
            {
                      "Sid" : "DenyUnEncryptedObjectUploads",
                   "Effect" : "Deny",
                "Principal" : "*",
                   "Action" : "s3:PutObject",
                 "Resource" : "arn:aws:s3:::acme-backup-bucket/*",
                "Condition" : {
                    "Null" : {
                        "s3:x-amz-server-side-encryption" : "true"
                    }
                }
            }
        ]
    }
    

    IMPORTANT: Replace arn:aws:s3:::acme-backup-bucket with your bucket name