S3 Default Encryption override with command line/api call

S3 doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html

After you enable default encryption for a bucket, the following encryption behavior applies:

There is no change to the encryption of the objects that existed in the bucket before default encryption was enabled. When you upload objects after enabling default encryption: If your PUT request headers don't include encryption information, Amazon S3 uses the bucket’s default encryption settings to encrypt the objects. If your PUT request headers include encryption information, Amazon S3 uses the encryption information from the PUT request to encrypt objects before storing them in Amazon S3. If the PUT succeeds, the response is an HTTP/1.1 200 OK with the encryption information in the response headers. For more information, see PUT Object. If you use the SSE-KMS option for your default encryption configuration, you are subject to the RPS (requests per second) limits of AWS KMS. For more information about AWS KMS limits and how to request a limit increase, see AWS KMS limits.

https://docs.aws.amazon.com/kms/latest/developerguide/limits.html