How to confirm an object in S3 is Encrypted


When I examine (via console) the properties of an object I put into a bucket with default encryption enabled (AES-256) the Server-side encryption attribute says "Access Denied." (An unencrypted object says "None"). I'm examining the object under the Admin role. An IAM user with lesser permissions (and isn't console-enabled) put the object.

Attempts to HeadObject at the command line (aws s3api head-object --bucket my-bucket --key os_requests/000000_0) as either the IAM User who put the object or as the Admin role result in "Forbidden." (An unencrypted object returns the expected json payload). The object can be ls'd or cp'd by either principal.

Does anyone know how I might get a more definitive yes or no?

已提問 4 年前檢視次數 2718 次
1 個回答

There are two ways I can think of,
1- something like:

import boto3

s3_client = boto3.client('s3')
response = s3_client.get_object(Bucket='testbucket',Key='testfile')


Not sure why your s3api CLI didn't work, but this above sample snippet works even for a readonly user.

2- Enable and use S3 Inventory, where you get frequent reports of all the objects in a bucket and in that report you can check the Encryption status for each of the objects.

I recommend using inventory specially if this task, checking the encryption of objects, is a frequent task. You can provide access only to the inventory reports to a user for that purpose.

已回答 4 年前

您尚未登入。 登入 去張貼答案。