This lab is currently in Beta, content may be updated as we refine the material
LABINTERMEDIATE

KMS S3 Encryption Enforcement

Create a KMS key, enforce SSE-KMS encryption on an S3 bucket via bucket policy, and prove that unencrypted uploads are denied.

45 minutes
aws/devops
KMS S3 Encryption Enforcement - Platform Engineering Hands-On Lab Icon

Lab Overview

Encrypting data at rest is a foundational security control, and the DevOps Engineer Professional exam expects you to combine KMS and S3 bucket policies to enforce encryption requirements.

In this lab you will act as a security engineer hardening an S3 bucket used by a production application. You will create a symmetric KMS key, configure default SSE-KMS encryption on a bucket, write a bucket policy that denies `s3:PutObject` unless the caller provides `x-amz-server-side-encryption: aws:kms` with the correct key, and then prove the enforcement works by uploading with and without encryption parameters.

You will:

  • Create a symmetric KMS key with an alias and a custom key policy granting full access to the lab user and S3
  • Create an S3 bucket with default SSE-KMS encryption using your key
  • Author and apply a bucket policy that denies `s3:PutObject` unless the request includes the required KMS encryption headers
  • Upload a file with `--sse aws:kms --sse-kms-key-id` (allowed) and without SSE parameters (denied with AccessDenied)
  • List objects and verify their `SSEKMSKeyId` attribute, then clean up all resources

What You'll Learn

Create a symmetric KMS key with a custom key policy and alias using the AWS CLI

Configure default SSE-KMS encryption on an S3 bucket

Author an S3 bucket policy that enforces SSE-KMS encryption using condition keys

Demonstrate that unencrypted and SSE-S3 uploads are denied while SSE-KMS uploads succeed

Audit object encryption status and clean up KMS keys and S3 buckets

Prerequisites

basic-aws-cli-familiarity

aws-kms-fundamentals

completed-aws-devops-cli-operations-baseline-lab

Technologies Covered

awskmss3encryptionsse-kmsbucket-policysecuritydop-c02

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now