diff --git a/.github/workflows/replication.yaml b/.github/workflows/replication.yaml
index bcb145348..4ad56e7cc 100644
--- a/.github/workflows/replication.yaml
+++ b/.github/workflows/replication.yaml
@@ -42,6 +42,12 @@ jobs:
           sudo sysctl net.ipv6.conf.default.disable_ipv6=0
           make test-ilm
 
+      - name: Test PBAC
+        run: |
+          sudo sysctl net.ipv6.conf.all.disable_ipv6=0
+          sudo sysctl net.ipv6.conf.default.disable_ipv6=0
+          make test-pbac
+
       - name: Test Config File
         run: |
           sudo sysctl net.ipv6.conf.all.disable_ipv6=0
diff --git a/Makefile b/Makefile
index 3006cb29e..477c293fb 100644
--- a/Makefile
+++ b/Makefile
@@ -57,6 +57,10 @@ test-ilm: install-race
 	@echo "Running ILM tests"
 	@env bash $(PWD)/docs/bucket/replication/setup_ilm_expiry_replication.sh
 
+test-pbac: install-race
+	@echo "Running bucket policies tests"
+	@env bash $(PWD)/docs/iam/policies/pbac-tests.sh
+
 test-decom: install-race
 	@echo "Running minio decom tests"
 	@env bash $(PWD)/docs/distributed/decom.sh
diff --git a/docs/iam/policies/deny-non-sse-kms-objects.json b/docs/iam/policies/deny-non-sse-kms-objects.json
new file mode 100644
index 000000000..003d03a78
--- /dev/null
+++ b/docs/iam/policies/deny-non-sse-kms-objects.json
@@ -0,0 +1,17 @@
+{
+   "Version":"2012-10-17",
+   "Id":"PutObjectPolicy",
+   "Statement":[{
+         "Sid":"DenyObjectsThatAreNotSSEKMS",
+         "Effect":"Deny",
+         "Principal":"*",
+         "Action":"s3:PutObject",
+         "Resource":"arn:aws:s3:::multi-key-poc/*",
+         "Condition":{
+            "Null":{
+               "s3:x-amz-server-side-encryption-aws-kms-key-id":"true"
+            }
+         }
+      }
+   ]
+}
diff --git a/docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json b/docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
new file mode 100644
index 000000000..e872c78d8
--- /dev/null
+++ b/docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
@@ -0,0 +1,17 @@
+{
+   "Version":"2012-10-17",
+   "Id":"PutObjectPolicy1",
+   "Statement":[{
+         "Sid":"DenyObjectsWithInvalidSSEKMS",
+         "Effect":"Deny",
+         "Principal":"*",
+         "Action":"s3:PutObject",
+         "Resource":"arn:aws:s3:::multi-key-poc/*",
+         "Condition":{
+            "StringNotEquals":{
+               "s3:x-amz-server-side-encryption-aws-kms-key-id":"minio-default-key"
+            }
+         }
+      }
+   ]
+}
diff --git a/docs/iam/policies/pbac-tests.sh b/docs/iam/policies/pbac-tests.sh
new file mode 100755
index 000000000..13543ca8c
--- /dev/null
+++ b/docs/iam/policies/pbac-tests.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+if [ -n "$TEST_DEBUG" ]; then
+	set -x
+fi
+
+pkill minio
+pkill kes
+rm -rf /tmp/xl
+
+if [ ! -f ./mc ]; then
+	wget --quiet -O mc https://dl.minio.io/client/mc/release/linux-amd64/mc &&
+		chmod +x mc
+fi
+
+if [ ! -f ./kes ]; then
+	wget --quiet -O kes https://github.com/minio/kes/releases/latest/download/kes-linux-amd64 &&
+		chmod +x kes
+fi
+
+if ! openssl version &>/dev/null; then
+	apt install openssl || sudo apt install opensssl
+fi
+
+# Start KES Server
+(./kes server --dev 2>&1 >kes-server.log) &
+kes_pid=$!
+sleep 5s
+API_KEY=$(grep "API Key" <kes-server.log | awk -F" " '{print $3}')
+(openssl s_client -connect 127.0.0.1:7373 2>/dev/null 1>public.crt)
+
+export CI=true
+export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
+export MINIO_KMS_KES_API_KEY="${API_KEY}"
+export MINIO_KMS_KES_KEY_NAME=minio-default-key
+export MINIO_KMS_KES_CAPATH=public.crt
+export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
+
+(minio server http://localhost:9000/tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
+pid=$!
+
+sleep 30s
+
+./mc admin user add myminio/ minio123 minio123
+
+./mc admin policy create myminio/ deny-non-sse-kms-pol ./docs/iam/policies/deny-non-sse-kms-objects.json
+./mc admin policy create myminio/ deny-invalid-sse-kms-pol ./docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
+
+./mc admin policy attach myminio deny-non-sse-kms-pol --user minio123
+./mc admin policy attach myminio deny-invalid-sse-kms-pol --user minio123
+./mc admin policy attach myminio consoleAdmin --user minio123
+
+./mc mb -l myminio/test-bucket
+./mc mb -l myminio/multi-key-poc
+
+export MC_HOST_myminio1="http://minio123:minio123@localhost:9000/"
+
+./mc cp /etc/issue myminio1/test-bucket
+ret=$?
+if [ $ret -ne 0 ]; then
+	echo "BUG: PutObject to bucket: test-bucket should succeed. Failed"
+	exit 1
+fi
+
+./mc cp /etc/issue myminio1/multi-key-poc | grep -q "Insufficient permissions to access this path"
+ret=$?
+if [ $ret -eq 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc without sse-kms should fail. Succedded"
+	exit 1
+fi
+
+./mc cp /etc/hosts myminio1/multi-key-poc/hosts --enc-kms "myminio1/multi-key-poc/hosts=minio-default-key"
+ret=$?
+if [ $ret -ne 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc with valid sse-kms should succeed. Failed"
+	exit 1
+fi
+
+mc cp /etc/issue myminio1/multi-key-poc/issue --enc-kms "myminio1/multi-key-poc/issue=minio-default-key-xxx" | grep "Insufficient permissions to access this path"
+ret=$?
+if [ $ret -eq 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc with invalid sse-kms should fail. Succeeded"
+	exit 1
+fi
+
+kill $pid
+kill $kes_pid