AWS CLI to list encryption status of all S3 buckets

Question

My account has a few hundred buckets, I need to be able to show the encryption status for all of these. I'd like to be able to do this via the CLI, I see there is a command 'get-bucket-encryption' operation but I can't figure out how to run this against all buckets rather than just a specific bucket.

Answer 1

A one liner option. This will either print the server side encryption algorithm (i.e. AES256) or print an error message if SSE is not enabled.

aws s3api list-buckets --query "Buckets[].Name" | jq -r ".[]" | xargs -I {} bash -c "echo {}; aws s3api get-bucket-encryption --bucket {} | jq -r '.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm'"

Answer 2

Just adding on to this slightly older question with at python3 answer

Like the Nodejs one above me it also assume you have the correct setup credentials as well as the boto3 sdk installed.

import boto3, botocore.exceptions

def main():
    client = boto3.client('s3')
    bucket_list = client.list_buckets()
    encrypted_buckets = []
    unencrypted_buckets = []

    for item in bucket_list['Buckets']:
        try:
            encryption_info = client.get_bucket_encryption(
                Bucket=item['Name']
            )
            encrypted_buckets.append([item['Name'],(encryption_info['ServerSideEncryptionConfiguration'])])
        except botocore.exceptions.ClientError as error:
            if error.response['Error']['Code'] == 'ServerSideEncryptionConfigurationNotFoundError':
                unencrypted_buckets.append(item['Name'])
    
    print("Encrypted Buckets - Encryption Type")
    for item in encrypted_buckets:
        print(item)
    print("\nUnencrypted Buckets")  
    for item in unencrypted_buckets:
        print(item)
        
if __name__ == "__main__":
    main()

This will output a list of encrypted buckets, then unencrypted buckets to the command line

Answer 3

I know this question is for CLI but here's the answer in Nodejs

Assuming that you've set up all the credential and installed aws-sdk this is what you should run

const AWS = require('aws-sdk');
const s3 = new AWS.S3();

s3.listBuckets(function(err, data) {
    if (err) console.log(err, err.stack);
    let bucketData = data.Buckets;
    let bucketLength = data.Buckets.length;

    for (let i = 0; i < bucketLength; i++) {
        var params = {
            Bucket: `${bucketData[i].Name}` /* required */
        };
        s3.getBucketEncryption(params, function(err, data) {
            try {       // first it will print all non encypted buckets and then vice versa
                if(err){
                    console.log(bucketData[i].Name)   // Non Encrypted Bucket List
                }
                if (data) {
                    console.log(bucketData[i].Name);  // Encrpted Bucket List 
                }
            } catch (err) {}
        });
    }
});

Answer 4

You can run it in a loop over the results of list-buckets.

For example:

for bucket_name in $(aws s3api list-buckets --query "Buckets[].Name" --output text); do

    echo ${bucket_name}
    
    encryption_info=$(aws s3api get-bucket-encryption \
        --bucket ${bucket_name} 2>/dev/null)
        
    if [[ $? != 0 ]]; then
        echo " - no-encryption"
    else
        echo " - ${encryption_info}"
    fi
done

If bucket has no encryption get-bucket-encryption returns error, so I assume above that any error means that there is no encryption.