How to confirm an object in S3 is Encrypted


When I examine (via console) the properties of an object I put into a bucket with default encryption enabled (AES-256) the Server-side encryption attribute says "Access Denied." (An unencrypted object says "None"). I'm examining the object under the Admin role. An IAM user with lesser permissions (and isn't console-enabled) put the object.

Attempts to HeadObject at the command line (aws s3api head-object --bucket my-bucket --key os_requests/000000_0) as either the IAM User who put the object or as the Admin role result in "Forbidden." (An unencrypted object returns the expected json payload). The object can be ls'd or cp'd by either principal.

Does anyone know how I might get a more definitive yes or no?

asked 4 years ago2631 views
1 Answer
Accepted Answer

There are two ways I can think of,
1- something like:

import boto3

s3_client = boto3.client('s3')
response = s3_client.get_object(Bucket='testbucket',Key='testfile')


Not sure why your s3api CLI didn't work, but this above sample snippet works even for a readonly user.

2- Enable and use S3 Inventory, where you get frequent reports of all the objects in a bucket and in that report you can check the Encryption status for each of the objects.

I recommend using inventory specially if this task, checking the encryption of objects, is a frequent task. You can provide access only to the inventory reports to a user for that purpose.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions