How to confirm an object in S3 is Encrypted


When I examine (via console) the properties of an object I put into a bucket with default encryption enabled (AES-256) the Server-side encryption attribute says "Access Denied." (An unencrypted object says "None"). I'm examining the object under the Admin role. An IAM user with lesser permissions (and isn't console-enabled) put the object.

Attempts to HeadObject at the command line (aws s3api head-object --bucket my-bucket --key os_requests/000000_0) as either the IAM User who put the object or as the Admin role result in "Forbidden." (An unencrypted object returns the expected json payload). The object can be ls'd or cp'd by either principal.

Does anyone know how I might get a more definitive yes or no?

preguntada hace 4 años2729 visualizaciones
1 Respuesta
Respuesta aceptada

There are two ways I can think of,
1- something like:

import boto3

s3_client = boto3.client('s3')
response = s3_client.get_object(Bucket='testbucket',Key='testfile')


Not sure why your s3api CLI didn't work, but this above sample snippet works even for a readonly user.

2- Enable and use S3 Inventory, where you get frequent reports of all the objects in a bucket and in that report you can check the Encryption status for each of the objects.

I recommend using inventory specially if this task, checking the encryption of objects, is a frequent task. You can provide access only to the inventory reports to a user for that purpose.

respondido hace 4 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas