encryption_type

Type string
Default AES256
Module s3-bucket

Encryption type for the bucket. Use 'AES256' for S3-managed keys (SSE-S3) or 'aws:kms' for KMS-managed keys (SSE-KMS).

Supported Encryption Types

TypeDescriptionUse Case
AES256Server-side encryption with Amazon S3 managed keys (SSE-S3)Default, simple encryption
aws:kmsServer-side encryption with AWS KMS keys (SSE-KMS)Compliance, key rotation, audit trails

Default Value

encryption_type = "AES256"

KMS Encryption

When using aws:kms, you must also provide the kms_key_arn:

encryption_type = "aws:kms"
kms_key_arn     = module.kms.key_arn

Comparison

SSE-S3 (AES256)

  • AWS manages all encryption keys
  • No additional cost
  • No audit trail for key usage

SSE-KMS

  • Customer-managed or AWS-managed KMS keys
  • Automatic key rotation
  • CloudTrail logging of key usage
  • Additional KMS API costs

Best Practices

  • Use aws:kms for sensitive or regulated data
  • Use customer-managed KMS keys for key lifecycle control
  • Enable key rotation for compliance requirements
  • Consider bucket key feature to reduce KMS costs

Full Module Example

module "s3_bucket" {
  source  = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
  version = "0.1.0"

  # encryption_type
  encryption_type = "..."

  # Other required inputs
  bucket_name = "..."
}
Other Inputs
bucket_name req versioning_enabled kms_key_arn lifecycle_rules cors_configuration access_logging tags