I want to enable SSE-KMS encryption on AWS S3 bucket and apply an existing KMS key to the bucket and also want to set the Bucket Key to true.

AWS CLI put-bucket-encryption v2 doc: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-encryption.html

I followed the above mentioned aws cli documentation for put-bucket-encryption and ran following command but got the validation error for BucketKeyEnabled param. If I remove that param then the command runs fine and sets the KMS key correctly. However, I also want to set the Bucket Key to true.

What's wrong with my command? I did compare the AWS CLI version v1 and v2 documentation and both looks same for put-bucket-encryption. Is this an aws cli version

Command:

aws s3api put-bucket-encryption \
    --bucket my-bucket \
    --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"AWS_KMS_key_ARN"},"BucketKeyEnabled":true}]}'

Error:

Parameter validation failed: Unknown parameter in ServerSideEncryptionConfiguration.Rules[0]: "BucketKeyEnabled", must be one of: ApplyServerSideEncryptionByDefault

Following is my aws cli version info:

$ aws --version
aws-cli/1.16.306 Python/2.7.16 Darwin/20.5.0 botocore/1.13.42

As per documentation it should, but does this version not support BucketKeyEnabled param? would updating to the latest aws cli version help?

CodePudding user response：

Version aws-cli/1.16.306 is very old, and BucketKeyEnabled is not supported in the old version. If you want to keep using v1 of CLI, use the latest version which is 1.24.7. Otherwise change to the current version 2.7.11.