Are you saying the S3 bucket is KMS encrypted? When performing any S3 bucket operations, do you need to pass the KMS key every time? How are you going to handle that?

When an S3 bucket is configured for server‑side encryption with AWS KMS (SSE‑KMS), the data is encrypted at rest using a customer‑managed KMS key. For most S3 operations (PUT, GET, LIST, DELETE), you do not need to explicitly provide the KMS key each time; the bucket’s encryption configuration automatically applies the key. The SDK or CLI will include the encryption header (x-amz-server-side-encryption: aws:kms) and, if necessary, the key ID (x-amz-server-side-encryption-aws-kms-key-id). If you use a custom key, you can specify it once in the bucket policy or during the first upload. Subsequent operations inherit the encryption setting. To handle this, you can: 1) Set the bucket’s default encryption to SSE‑KMS in the console or via the PutBucketEncryption API. 2) Ensure IAM policies allow s3:PutObject and s3:GetObject with s3:EncryptionContext if you use encryption context. 3) Use SDKs that automatically add the required headers. This approach simplifies code and ensures all objects are encrypted without per‑operation key handling.