AWS S3 - How to Use Server-side kms Encryption from aws cli

Server-side encryption is about protecting data at rest, which means S3 encrypts your data at the object level as it writes to disks and decypts it when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. You can read more here (http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html).

Amazon S3 supports bucket policy that you can use if you require server-side encryption for all objects that are stored in your bucket. For example, the following bucket policy denies upload object (s3:PutObject) permission to everyone if the request does not include the x-amz-server-side-encryption header requesting server-side encryption with SSE-KMS.

{
   "Version":"2012-10-17",
   "Id":"PutObjPolicy",
   "Statement":[{
         "Sid":"DenyUnEncryptedObjectUploads",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::YourBucket/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-server-side-encryption":"aws:kms"
            }
         }
      }
   ]
}

To add a server-side kms encryotion to your object, you can use "aws s3api". Here is an example:

aws s3api put-object --bucket your-s3-bucket --key path_in_s3 --body local_path --server-side-encryption "aws:kms" --ssekms-key-id your_kms_key_id

path_in_s3: where you store you object in s3 (not include bucket name), for example: backup/file1.text
local_path: Local file path
your_kms_key_id: You can get it from "Encrypted keys" from AWS console.