0 / 0

Securing your data on AWS

Last updated: Jun 26, 2025
Securing your data on AWS

All the files in S3 storage are encrypted by default with S3's own encryption key. Additionally, you can create your own key in the KMS service in your AWS account, and then provide the details of the KMS master key as part of the service delegation process.

Prerequisites

  • You must have your KMS master key for server-side encryption set up in your AWS account.
Important: The KMS encryption will only apply to new buckets; it does not retroactively apply to existing buckets.

To turn on S3 bucket encryption:

  1. From the navigation menu select Administration > Access (IAM) > Access Delegation.

  2. Check whether Enable delegation toggle is set to on. If it isn't, you must first set up account delegation. For details, see Enabling account delegation.

    Enabling delegation in watsonx UI

  3. Set the Enable encryption toggle to on.

  4. Select the SSE algorithm and provide the ARN of the KMS master key id.

  5. Click the Save button. Encryption is set as default for all the files in new buckets.

    Enabling delegation in watsonx UI

Learn more

Parent topic: Setting up the platform on AWS