AWS S3: Get Server-side encryption settings using CLI-CodePudding

I can use the Amazon S3 web GUI console, click on a file on S3, and see the Server-side encryption settings, including which AWS KMS key is used.

How can I get this same information with the CLI? I've checked every obvious command and I'm finding nothing.

This shows me bucket level info, I want file level info:

aws s3api get-bucket-encryption

This doesn't show KMS/SSE info:

aws s3api get-object-acl

This just downloads the file, it doesn't get properties about the file:

aws s3api get-object

CodePudding user response：

TLDR: You probably would want to use aws s3api head-object

This just downloads the file, it doesn't get properties about the file: aws s3api get-object

I don't know what version of the AWS CLI are you using, but with the latest one if you run get-object like this:

aws s3api get-object --bucket <bucket-name> --key <keyname> <outfile>

It will download the file, but it will also display something like this:

{
    "AcceptRanges": "bytes",
    "LastModified": "2022-01-20T21:24:21 00:00",
    "ContentLength": 17851,
    "ETag": "\"4a57f3ee4dd576e295c8ff0c9ad86063\"",
    "ContentType": "image/jpeg",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:us-east-1:069700690668:key/b2ae18e5-13ce-466a-82aa-641eb817d063"
}

This should contain the encryption type (ServerSideEncryption) and the ARN of the KMS key used SSEKMSKeyId. You can see the docs for all the outputs for get-object.

Certainly, downloading the object is may be unnecessary in some cases. If you don't want to download the object, you may want to use head-object:

aws s3api head-object --bucket <bucket-name> --key <keyname>

The output is the same as in case of get-object.