This is part of our cloud security series.
Do you have unencrypted S3 objects lying around? Don't! Here's the safe way to retroactively enable server-side encryption:
Step 1: Make a backup bucket
AWS management console is easiest. Call it
Step 2: Copy one way
require 'aws-sdk' s3 = Aws::S3::Resource.new(region: 'us-east-1', access_key_id: ACCESS_KEY_ID, secret_access_key: SECRET_ACCESS_KEY) b1 = s3.bucket('my-bucket') b2 = s3.bucket('my-bucket-backup') # or no prefix if you want everything b1.objects(prefix: 'xyz').each do |object_summary| o1 = b1.object object_summary.key o2 = b2.object object_summary.key o1.copy_to o2, server_side_encryption: 'AES256' end
Step 3: Sanity check
Now look at
[my-bucket]-backup - it's probably 100% perfect, but just reassure yourself.
Step 4: Copy back over
There are 2 changes here, so you might want to copy-paste:
b2.objects.each do |object_summary| o1 = b1.object object_summary.key o2 = b2.object object_summary.key o2.copy_to o1, server_side_encryption: 'AES256' end
Step 5: (optional) Clean up