I have a very large bucket with many files. The bucket contains a mix of mostly "old" files encrypted with a non bucket key KMS key, and some new files that are using the new BucketKey.
I do not want to call a HEAD operation on all of them to determine if ServerSideEncryptionConfiguration contains BucketyKeyEnabled for performance and cost reasons. However, I can't just check the bucket level settings, as the bucket contains a mix of encrypted objects.
Documentation for S3 Inventory indicates that Encryption Status will not contain this info:
Encryption status – Set to SSE-S3, SSE-C, SSE-KMS, or NOT-SSE. The
server-side encryption status for SSE-S3, SSE-KMS, and SSE with
customer-provided keys (SSE-C).
I believe both old and new files will just return SSE-KMS.
Is there a way to access this info either via S3 Inventory (through yet undocumented behavior/config), or via another efficient method?
I do not want to just use a "all files before the date the Bucket Key was turned on" method, as while that may work for this specific use case, I need a solution with a broader scope for the future.