Reputation: 139
AWS S3 How do I enable S3 object encryption for object that existed before
Had a series of buckets that did not have encryption turned on. boto3 code to turn it on easy. Just using basic AES256.
Unfortunately any object that already exists will not have server side encryption set. Been looking at the API and cannot find the call to change the attribute. Via the console, it is there. But i am not about to do that with 10000 objects.
Not willing to copy that much data out and then back in again.
The s3 object put looks like it expects to write an object. Does not seem to update an object.
Anyone willing to offer a pointer?
Upvotes: 2
Views: 1806
Answers (3)
Reputation: 139
I've been reading and talking to friends. I tried something for the heck of it.
aws s3 cp s3://bucket/tools/README.md s3://bucket/tools/README.md
Encryption was turned on. Is AWS smart enough to recognize this and it just applied encryption bucket policy? Or did it really recopy of object on top of itself?
Upvotes: 2
Reputation: 2346
You can do something like this to copy object between buckets and encrypt them.
But coping is not without any side effects, in order to understand what is behind coping we have to see the S3 user guide.
Each object has metadata. Some of it is system metadata and other user-defined. Users control some of the system metadata such as storage class configuration to use for the object, and configure server-side encryption. When you copy an object, user-controlled system metadata and user-defined metadata are also copied. Amazon S3 resets the system controlled metadata. For example, when you copy an object, Amazon S3 resets creation date of copied object. You don't need to set any of these values in your copy request.
You can find more about metadata from here
Note that if you choose to update any of the object's user configurable metadata (system or user-defined) during the copy, then you must explicitly specify all the user configurable metadata, even if you are only changing only one of the metadata values, present on the source object in your request.
You will also have to pay for copy requests. However there won't be any charge for delete requests. Since there is no need to copy object between regions in this case you wont be charge for bandwidth.
So keep these in mind when you are going ahead with copy object in S3.
Upvotes: 0
Reputation: 81454
Amazon S3 has the ability to do a COPY operation where the source file and the destination file are the same (in object name only). This copy operation happens on S3, which means that you do not need to download and reupload the file.
To turn on encryption for a file, called Server Side Encryption (SSE AES-256), you can use the AWS CLI COPY command:
aws s3 cp s3://mybucket/myfile.zip s3://mybucket/myfile.zip --sse
The source file will be copied to the destination (notice the same object names) and SSE will be enabled (the file will be encrypted).
If you have a list of files, you could easily create a batch script to process each file.
Or you could write a simple python program to scan each file on S3 and if SSE is not enabled, encrypt with the AWS CLI command or with python S3 APIs.
Upvotes: 4
Related Questions
- AWS S3 Server side encryption Access denied error
- How do I enable s3 bucket Default Encryption programmatically with AWSSDK?
- How to enable/disable encryption on S3 based on condition
- Apply encryption to existing S3 objects without impacting storage class
- How can we enable encryption for a particular folder in S3
- Remove encryption from all s3 objects using CLI
- AWS S3 server side encryption using CLI
- aws s3 bucket encryption
- Amazon S3 File Encryption
- How can I specify server-side encryption of Amazon S3 objects with PowerShell?