An admin should be able to specify an option kms_key_id that is added to the service credentials payload to indicate what KMS key a service consumer can use for server side encryption.
An admin cloud enforce the usage of KMS by added something like the following to their bucket policy:
{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] }
An admin should be able to specify an option kms_key_id that is added to the service credentials payload to indicate what KMS key a service consumer can use for server side encryption.
An admin cloud enforce the usage of KMS by added something like the following to their bucket policy:
{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] }