Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

AWS S3: does Liferay support the x-amz-server-side-encryption header with server side encryption?

Written By

Sorin Pop

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • I am using an S3 bucket as the store for our Documents and Media
  • I have configured it with a Service Control Policy that requires encryption and the presence of the x-amz-server-side-encryption header, something like this: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUploadOfUnencryptedObjectsToS3Bucket",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": [
            "AES256",
            "aws:kms"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:aws:iam::489415732136:user/test"
          ]
        }
      }
    }
  ]
}

 

  • When I  test this configuration, I am  getting following error.

Caused by: com.liferay.document.library.kernel.exception.AccessDeniedException: {errorCode=AccessDenied, errorType=Client, message=Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ZE1PKQDWJGJVX9RH; S3 Extended Request ID: JulnMKqJqw0L7gRyUu
o1s9lrChprqu36wPPm1/Tr1ZYRkFL+Hu8Hrq6QFF9/E8d5UxbWNMoHA0U=; Proxy: null), requestId=ZE1PKQDWJGJVX9RH, statusCode=403}

  • Can you confirm if Liferay is able to provide this x-amz-server-side-encryption header?

Environment

  • 7.4

Resolution

  • At the writing of this article, Liferay does not set this header, so you need to make use of the default bucket encryption if you want server-side encryption of your bucket objects.

    This also results in the fact that you cannot use a service control policy which requires the "x-amz-server-side-encryption" header to be set.

  • Refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html

    When you upload objects after enabling default encryption:

    If your PUT request headers don't include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects.
    If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3.

  • There is a feature request ticket for possibly adding this functionality to Liferay in the future: https://issues.liferay.com/browse/LPS-165937

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?