diff --git a/provider.aws.data.tf b/provider.aws.data.tf
index f705fbe..9dc4517 100644
--- a/provider.aws.data.tf
+++ b/provider.aws.data.tf
@@ -1,5 +1,9 @@
 data "aws_caller_identity" "current" {}
 
+data "aws_kms_alias" "aws_s3" {
+  name = "alias/aws/s3"
+}
+
 data "aws_iam_policy_document" "s3_cloudfront_access" {
   statement {
     principals {
diff --git a/provider.aws.s3.tf b/provider.aws.s3.tf
index 86f41b4..b75dc7d 100644
--- a/provider.aws.s3.tf
+++ b/provider.aws.s3.tf
@@ -14,9 +14,10 @@ resource "aws_s3_bucket_public_access_block" "created" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "created" {
   bucket = aws_s3_bucket.created.id
   rule {
+    bucket_key_enabled = true
     apply_server_side_encryption_by_default {
-      kms_master_key_id = "aws/s3"
-      sse_algorithm     = "aws:kms"
+      sse_algorithm = "AES256"
+      # kms_master_key_id = data.aws_kms_alias.aws_s3.arn
     }
   }
 }