Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

AWS S3: does Liferay support the x-amz-server-side-encryption header with server side encryption?

Written By

Sorin Pop

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • I am using an S3 bucket as the store for our Documents and Media
  • I have configured it with a Service Control Policy that requires encryption and the presence of the x-amz-server-side-encryption header, something like this: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUploadOfUnencryptedObjectsToS3Bucket",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": [
            "AES256",
            "aws:kms"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:aws:iam::489415732136:user/test"
          ]
        }
      }
    }
  ]
}

 

  • When I  test this configuration, I am  getting following error.

Caused by: com.liferay.document.library.kernel.exception.AccessDeniedException: {errorCode=AccessDenied, errorType=Client, message=Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ZE1PKQDWJGJVX9RH; S3 Extended Request ID: JulnMKqJqw0L7gRyUu
o1s9lrChprqu36wPPm1/Tr1ZYRkFL+Hu8Hrq6QFF9/E8d5UxbWNMoHA0U=; Proxy: null), requestId=ZE1PKQDWJGJVX9RH, statusCode=403}

  • Can you confirm if Liferay is able to provide this x-amz-server-side-encryption header?

Environment

  • 7.4

Resolution

  • At the writing of this article, Liferay does not set this header, so you need to make use of the default bucket encryption if you want server-side encryption of your bucket objects.

    This also results in the fact that you cannot use a service control policy which requires the "x-amz-server-side-encryption" header to be set.

  • Refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html

    When you upload objects after enabling default encryption:

    If your PUT request headers don't include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects.
    If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3.

  • There is a feature request ticket for possibly adding this functionality to Liferay in the future: https://issues.liferay.com/browse/LPS-165937

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?