Alt 1 - Encryption using Amazon key (SSE-S3)

Go to your bucket Properties and find the encryption section and enable it.

The "Amazon S3 key" encryption key type option will work right away while using your own key will need another permission for the AWS KMS key (see below).

Alt 2 - Encryption using your own KMS key (SSE-KMS)

Go to your bucket Properties and find the encryption section and enable it.

Select the second "Encryption key type" option and select you KMS key or create one (the AWS managed key option is not supported).

Edit the policy of the KMS key and add this statement and update the Resource with the KMS ARN:

{
"Sid": "Enable funnel encrypting incoming S3 data",
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:iam::071303700930:role/funnel-export-executor"
},
"Action":
[
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:{region}:{account-id}:key/{kms-key-id}"
}

Did this answer your question?