S3, does default encryption require any action to 'trigger' flag showing encryption status in the CLI output?


Since AWS now applies SSE to all new object uploads to S3 buckets (since 1/5/23), how should this impact testing of S3 encryption via the CLI, such as using ‘get-bucket-encryption’? https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

If an S3 bucket was previously unencrypted, it should now show up in our CLI results as having SSE, correct? Mainly, my question is, if a existing S3 bucket just sat there with no actions occurring, would the SSE automatically trigger and therefore any CLI output would reflect this new SSE status? Or is it possible the CLI would incorrectly show the bucket as unencrypted until some kind of put or get type action was run on the S3 bucket?

In some earlier testing of S3 CLI that is dated no **earlier **than 1/26 the results included a lot of unencrypted buckets. However, since everything now has SSE because of this change from AWS and we randomly selected 2 buckets shown as not encrypted and re-ran the CLI, now the CLI output indicates that they have SSE. Just not sure what happened here.

1 Answer

From: Amazon S3 now automatically encrypts all new objects

With this update, Amazon S3 will automatically apply SSE-S3 as the base level of Default Encryption setting for all new buckets and for existing buckets without any customer configured encryption setting. Existing buckets currently using S3 Default Encryption configuration will not change.

So, even an empty bucket will have the Default Encryption set to SSE-S3.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions