diff --git a/packages/@aws-cdk/s3/lib/bucket.ts b/packages/@aws-cdk/s3/lib/bucket.ts
index 56fd4efce7592..103e248347365 100644
--- a/packages/@aws-cdk/s3/lib/bucket.ts
+++ b/packages/@aws-cdk/s3/lib/bucket.ts
@@ -340,6 +340,16 @@ export class Bucket extends BucketRef {
             return { encryptionKey, bucketEncryption };
         }
 
+        if (encryptionType === BucketEncryption.S3Managed) {
+            const bucketEncryption = {
+                serverSideEncryptionConfiguration: [
+                    { serverSideEncryptionByDefault: { sseAlgorithm: 'AES256' } }
+                ]
+            };
+
+            return { bucketEncryption };
+        }
+
         if (encryptionType === BucketEncryption.KmsManaged) {
             const bucketEncryption = {
                 serverSideEncryptionConfiguration: [
@@ -406,10 +416,15 @@ export enum BucketEncryption {
     Unencrypted = 'NONE',
 
     /**
-     * Server-side KMS encryption with a master key managed by S3.
+     * Server-side KMS encryption with a master key managed by KMS.
      */
     KmsManaged = 'MANAGED',
 
+    /**
+     * Server-side encryption with a master key managed by S3.
+     */
+    S3Managed = 'S3MANAGED',
+
     /**
      * Server-side encryption with a KMS key managed by the user.
      * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
diff --git a/packages/@aws-cdk/s3/test/integ.bucket.expected.json b/packages/@aws-cdk/s3/test/integ.bucket.expected.json
index 738573fd3fac7..4d166081eef83 100644
--- a/packages/@aws-cdk/s3/test/integ.bucket.expected.json
+++ b/packages/@aws-cdk/s3/test/integ.bucket.expected.json
@@ -87,6 +87,20 @@
         }
       }
     },
+    "MyOtherBucket543F3540": {
+      "Type": "AWS::S3::Bucket",
+      "Properties": {
+        "BucketEncryption": {
+          "ServerSideEncryptionConfiguration": [
+            {
+              "ServerSideEncryptionByDefault": {
+                "SSEAlgorithm": "AES256"
+              }
+            }
+          ]
+        }
+      }
+    },
     "MyUserDC45028B": {
       "Type": "AWS::IAM::User"
     },
@@ -144,6 +158,37 @@
                   "Arn"
                 ]
               }
+            },
+            {
+              "Action": [
+                "s3:GetObject*",
+                "s3:GetBucket*",
+                "s3:List*"
+              ],
+              "Effect": "Allow",
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "MyOtherBucket543F3540",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "MyOtherBucket543F3540",
+                          "Arn"
+                        ]
+                      },
+                      "/",
+                      "*"
+                    ]
+                  ]
+                }
+              ]
             }
           ],
           "Version": "2012-10-17"
@@ -157,4 +202,4 @@
       }
     }
   }
-}
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/s3/test/integ.bucket.ts b/packages/@aws-cdk/s3/test/integ.bucket.ts
index 6b5bb7b19fd7d..a6087104ccac0 100644
--- a/packages/@aws-cdk/s3/test/integ.bucket.ts
+++ b/packages/@aws-cdk/s3/test/integ.bucket.ts
@@ -11,7 +11,12 @@ const bucket = new Bucket(stack, 'MyBucket', {
     encryption: BucketEncryption.Kms
 });
 
+const otherwiseEncryptedBucket = new Bucket(stack, 'MyOtherBucket', {
+    encryption: BucketEncryption.S3Managed
+});
+
 const user = new User(stack, 'MyUser');
 bucket.grantReadWrite(user);
+otherwiseEncryptedBucket.grantRead(user);
 
 process.stdout.write(app.run());