How can I check if S3 objects is encrypted using boto?

Question

I'm writing a python scripts to find out whether S3 object is encrypted. I tried using following code but key.encrypted always returns None even though I can see the object on S3 is encrypted.

keys = bucket.list()
for k in keys:
    print k.name, k.size, k.last_modified, k.encrypted , "\n"

k.encrypted always returns None.

Answer 1

expanding on @mfisherca's response, you can do this with the AWS CLI:

aws s3api head-object --bucket <bucket> --key <key>

# or query the value directly

aws s3api head-object --bucket <bucket> --key <key> \
  --query ServerSideEncryption --output text

Answer 2

You can also check the encryption state for specific objects using the head_object call. Here's an example in Python/boto:

#!/usr/bin/env python
import boto3

s3_client = boto3.client('s3')
head = s3_client.head_object(
    Bucket="<S3 bucket name>",
    Key="<S3 object key>"
)
if 'ServerSideEncryption' in head:
    print head['ServerSideEncryption']

See: http://boto3.readthedocs.io/en/latest/reference/services/s3.html#S3.Client.head_object

Answer 3

For what it's worth, you can do this using boto3 (which can be used side-by-side with boto).

s3 = boto3.resource('s3')
bucket = s3.Bucket('my-bucket-name')
for obj in bucket.objects.all():
    key = s3.Object(bucket.name, obj.key)
    print key.server_side_encryption

See the boto3 docs for a list of available key attributes.