Viewing the settings for an S3 Bucket Key
You can view the settings for an S3 Bucket Key at the bucket or object level by using the Amazon S3 console, REST API, AWS Command Line Interface (AWS CLI), or AWS SDKs.
S3 Bucket Keys decrease request traffic from Amazon S3 to AWS KMS and reduce the cost of server-side encryption using AWS Key Management Service (SSE-KMS). For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys.
To view the S3 Bucket Key settings for a bucket or an object that has inherited
S3 Bucket Key settings from the bucket configuration, you need permission to perform the
s3:GetEncryptionConfiguration
action. For more information, see GetBucketEncryption in the Amazon Simple Storage Service API Reference.
In the S3 console, you can view the S3 Bucket Key settings for your bucket or object. S3 Bucket Key settings are inherited from the bucket configuration unless the source objects already has an S3 Bucket Key configured.
Objects and folders in the same bucket can have different S3 Bucket Key settings. For example, if you upload an object using the REST API and enable an S3 Bucket Key for the object, the object retains its S3 Bucket Key setting in the destination bucket, even if S3 Bucket Key is disabled in the destination bucket. As another example, if you enable an S3 Bucket Key for an existing bucket, objects that are already in the bucket do not use an S3 Bucket Key. However, new objects have an S3 Bucket Key enabled.
To view the S3 Bucket Key setting for your bucket
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
In the Buckets list, choose the bucket that you want to enable an S3 Bucket Key for.
-
Choose Properties.
-
In the Default encryption section, under Bucket Key, you see the S3 Bucket Key setting for your bucket.
If you can’t see the S3 Bucket Key setting, you might not have permission to perform the
s3:GetEncryptionConfiguration
action. For more information, see GetBucketEncryption in the Amazon Simple Storage Service API Reference.
To view the S3 Bucket Key setting for your object
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the Buckets list, choose the bucket that you want to enable an S3 Bucket Key for.
-
In the Objects list, choose your object name.
-
On the Details tab, under Server-side encryption settings, choose Edit.
Under Bucket Key, you see the S3 Bucket Key setting for your object. You cannot edit this setting.
To return bucket-level S3 Bucket Key settings
To use this example, replace each
with your own information.user input
placeholder
aws s3api get-bucket-encryption --bucket
amzn-s3-demo-bucket1
For more information, see get-bucket-encryption
To return object-level S3 Bucket Key settings
To use this example, replace each
with your own information.user input
placeholder
aws s3api head-object --bucket
amzn-s3-demo-bucket1
--keymy_images.tar.bz2
For more information, see head-object
To return bucket-level S3 Bucket Key settings
To return encryption information for a bucket, including the settings for an
S3 Bucket Key, use the GetBucketEncryption
operation. S3 Bucket Key settings
are returned in the response body in the ServerSideEncryptionConfiguration
element with the BucketKeyEnabled
setting. For more information, see GetBucketEncryption in the Amazon S3 API Reference.
To return object-level settings for an S3 Bucket Key
To return the S3 Bucket Key status for an object, use the HeadObject
operation. HeadObject
returns
the x-amz-server-side-encryption-bucket-key-enabled
response header to
show whether an S3 Bucket Key is enabled or disabled for the object. For more
information, see HeadObject in the Amazon S3
API Reference.
The following API operations also return
the x-amz-server-side-encryption-bucket-key-enabled
response header if an
S3 Bucket Key is configured for an object: