diff --git a/lib/active_storage/service/s3_service.rb b/lib/active_storage/service/s3_service.rb
index 5703cfd0ed..efffdec157 100644
--- a/lib/active_storage/service/s3_service.rb
+++ b/lib/active_storage/service/s3_service.rb
@@ -2,17 +2,19 @@ require "aws-sdk"
 require "active_support/core_ext/numeric/bytes"
 
 class ActiveStorage::Service::S3Service < ActiveStorage::Service
-  attr_reader :client, :bucket
+  attr_reader :client, :bucket, :upload_options
 
-  def initialize(access_key_id:, secret_access_key:, region:, bucket:, **options)
+  def initialize(access_key_id:, secret_access_key:, region:, bucket:, upload: {}, **options)
     @client = Aws::S3::Resource.new(access_key_id: access_key_id, secret_access_key: secret_access_key, region: region, **options)
     @bucket = @client.bucket(bucket)
+
+    @upload_options = upload
   end
 
   def upload(key, io, checksum: nil)
     instrument :upload, key, checksum: checksum do
       begin
-        object_for(key).put(body: io, content_md5: checksum)
+        object_for(key).put(upload_options.merge(body: io, content_md5: checksum))
       rescue Aws::S3::Errors::BadDigest
         raise ActiveStorage::IntegrityError
       end
diff --git a/test/service/s3_service_test.rb b/test/service/s3_service_test.rb
index 6115cb8db0..049511497b 100644
--- a/test/service/s3_service_test.rb
+++ b/test/service/s3_service_test.rb
@@ -30,6 +30,24 @@ if SERVICE_CONFIGURATIONS[:s3]
       assert_match /#{SERVICE_CONFIGURATIONS[:s3][:bucket]}\.s3.(\S+)?amazonaws.com.*response-content-disposition=inline.*avatar\.png/,
         @service.url(FIXTURE_KEY, expires_in: 5.minutes, disposition: :inline, filename: "avatar.png")
     end
+
+    test "uploading with server-side encryption" do
+      config      = {}
+      config[:s3] = SERVICE_CONFIGURATIONS[:s3].merge \
+        upload: { server_side_encryption: "AES256" }
+
+      sse_service = ActiveStorage::Service.configure(:s3, config)
+
+      begin
+        key  = SecureRandom.base58(24)
+        data = "Something else entirely!"
+        sse_service.upload(key, StringIO.new(data), checksum: Digest::MD5.base64digest(data))
+
+        assert_equal "AES256", sse_service.bucket.object(key).server_side_encryption
+      ensure
+        sse_service.delete key
+      end
+    end
   end
 else
   puts "Skipping S3 Service tests because no S3 configuration was supplied"