diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
index 0302b90523716..496bfa1ddadb3 100644
--- a/packages/@aws-cdk/aws-s3/lib/bucket.ts
+++ b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -604,7 +604,7 @@ export interface BucketProps {
    * If you choose KMS, you can specify a KMS key via `encryptionKey`. If
    * encryption key is not specified, a key will automatically be created.
    *
-   * @default BucketEncryption.Unencrypted
+   * @default - `Kms` if `encryptionKey` is specified, or `Unencrypted` otherwise.
    */
   readonly encryption?: BucketEncryption;
 
@@ -934,8 +934,11 @@ export class Bucket extends BucketBase {
     encryptionKey?: kms.IKey
   } {
 
-    // default to unencrypted.
-    const encryptionType = props.encryption || BucketEncryption.Unencrypted;
+    // default based on whether encryptionKey is specified
+    let encryptionType = props.encryption;
+    if (encryptionType === undefined) {
+      encryptionType = props.encryptionKey ? BucketEncryption.Kms : BucketEncryption.Unencrypted;
+    }
 
     // if encryption key is set, encryption must be set to KMS.
     if (encryptionType !== BucketEncryption.Kms && props.encryptionKey) {
diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts
index 32ed9ba691330..8bdae25647490 100644
--- a/packages/@aws-cdk/aws-s3/test/test.bucket.ts
+++ b/packages/@aws-cdk/aws-s3/test/test.bucket.ts
@@ -1370,4 +1370,14 @@ export = {
     });
     test.done();
   },
+
+  'if a kms key is specified, it implies bucket is encrypted with kms (dah)'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const key = new kms.Key(stack, 'k');
+
+    // THEN
+    new Bucket(stack, 'b', { encryptionKey: key });
+    test.done();
+  }
 };