How to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?

0

I have a very large bucket with many files. The bucket contains a mix of mostly "old" files encrypted with a non bucket key KMS key, and some new files that are using the new BucketKey.

I do not want to call a HEAD operation on all of them to determine if ServerSideEncryptionConfiguration contains BucketyKeyEnabled for performance and cost reasons. However, I can't just check the bucket level settings, as the bucket contains a mix of encrypted objects.

Documentation for S3 Inventory indicates that Encryption Status will not contain this info:

Encryption status – Set to SSE-S3, SSE-C, SSE-KMS, or NOT-SSE. The server-side encryption status for SSE-S3, SSE-KMS, and SSE with customer-provided keys (SSE-C).

I believe both old and new files will just return SSE-KMS.

Is there a way to access this info either via S3 Inventory (through yet undocumented behavior/config), or via another efficient method?

I do not want to just use a "all files before the date the Bucket Key was turned on" method, as while that may work for this specific use case, I need a solution with a broader scope for the future.

AWS
asked 4 years ago1.6K views
1 Answer
1
Accepted Answer

As of today this information is not available in inventory report and you will have to use S3 HEAD api calls to generate bucket key status on an object. However, we are aware of this feedback and are working on an update to release Bucket Key status in the inventory report

AWS
answered 4 years ago
profile picture
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions