How to confirm an object in S3 is Encrypted

0

When I examine (via console) the properties of an object I put into a bucket with default encryption enabled (AES-256) the Server-side encryption attribute says "Access Denied." (An unencrypted object says "None"). I'm examining the object under the Admin role. An IAM user with lesser permissions (and isn't console-enabled) put the object.

Attempts to HeadObject at the command line (aws s3api head-object --bucket my-bucket --key os_requests/000000_0) as either the IAM User who put the object or as the Admin role result in "Forbidden." (An unencrypted object returns the expected json payload). The object can be ls'd or cp'd by either principal.

Does anyone know how I might get a more definitive yes or no?

AWS
已提問 4 年前檢視次數 2718 次
1 個回答
0
已接受的答案

There are two ways I can think of,
1- something like:

import boto3

s3_client = boto3.client('s3')
response = s3_client.get_object(Bucket='testbucket',Key='testfile')

print(response.get('ServerSideEncryption'))

Not sure why your s3api CLI didn't work, but this above sample snippet works even for a readonly user.

2- Enable and use S3 Inventory, where you get frequent reports of all the objects in a bucket and in that report you can check the Encryption status for each of the objects.

I recommend using inventory specially if this task, checking the encryption of objects, is a frequent task. You can provide access only to the inventory reports to a user for that purpose.

AWS
專家
已回答 4 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南