How to confirm an object in S3 is Encrypted

0

When I examine (via console) the properties of an object I put into a bucket with default encryption enabled (AES-256) the Server-side encryption attribute says "Access Denied." (An unencrypted object says "None"). I'm examining the object under the Admin role. An IAM user with lesser permissions (and isn't console-enabled) put the object.

Attempts to HeadObject at the command line (aws s3api head-object --bucket my-bucket --key os_requests/000000_0) as either the IAM User who put the object or as the Admin role result in "Forbidden." (An unencrypted object returns the expected json payload). The object can be ls'd or cp'd by either principal.

Does anyone know how I might get a more definitive yes or no?

AWS
質問済み 4年前2723ビュー
1回答
0
承認された回答

There are two ways I can think of,
1- something like:

import boto3

s3_client = boto3.client('s3')
response = s3_client.get_object(Bucket='testbucket',Key='testfile')

print(response.get('ServerSideEncryption'))

Not sure why your s3api CLI didn't work, but this above sample snippet works even for a readonly user.

2- Enable and use S3 Inventory, where you get frequent reports of all the objects in a bucket and in that report you can check the Encryption status for each of the objects.

I recommend using inventory specially if this task, checking the encryption of objects, is a frequent task. You can provide access only to the inventory reports to a user for that purpose.

AWS
エキスパート
回答済み 4年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ