← All posts
2 min read

Inspect S3 bucket encryption deeply

#aws#cli#s3#storage
📑 On this page

Part 27 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

get-bucket-encryption is the source of truth for the bucket default. The key fields are the algorithm, optional KMS key ID, and S3 Bucket Key setting.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api get-bucket-encryption --bucket "$BUCKET"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-encryption \
  --bucket "$BUCKET" \
  --query "ServerSideEncryptionConfiguration.Rules[].{Algorithm:ApplyServerSideEncryptionByDefault.SSEAlgorithm,KmsKey:ApplyServerSideEncryptionByDefault.KMSMasterKeyID,BucketKey:BucketKeyEnabled}" \
  --output table

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

aws s3api head-object \
  --bucket "$BUCKET" \
  --key "existing-object.txt" \
  --query "{ObjectEncryption:ServerSideEncryption,KmsKey:SSEKMSKeyId}"

Bucket defaults describe future writes. head-object tells you how one existing object was actually encrypted.

Common mistake

Changing the default encryption does not rewrite old objects. Audit bucket configuration and object metadata separately when the distinction matters.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Block all public access on an S3 bucket.

Official AWS CLI reference