I can use the Amazon S3 web GUI console, click on a file on S3, and see the Server-side encryption settings, including which AWS KMS key is used.
How can I get this same information with the CLI? I've checked every obvious command and I'm finding nothing.
This shows me bucket level info, I want file level info:
aws s3api get-bucket-encryption
This doesn't show KMS/SSE info:
aws s3api get-object-acl
This just downloads the file, it doesn't get properties about the file:
aws s3api get-object
TLDR: You probably would want to use aws s3api head-object
This just downloads the file, it doesn't get properties about the file:
aws s3api get-object
I don't know what version of the AWS CLI are you using, but with the latest one if you run get-object like this:
aws s3api get-object --bucket <bucket-name> --key <keyname> <outfile>
It will download the file, but it will also display something like this:
{
"AcceptRanges": "bytes",
"LastModified": "2022-01-20T21:24:21+00:00",
"ContentLength": 17851,
"ETag": "\"4a57f3ee4dd576e295c8ff0c9ad86063\"",
"ContentType": "image/jpeg",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:us-east-1:069700690668:key/b2ae18e5-13ce-466a-82aa-641eb817d063"
}
This should contain the encryption type (ServerSideEncryption) and the ARN of the KMS key used SSEKMSKeyId. You can see the docs for all the outputs for get-object.
Certainly, downloading the object is may be unnecessary in some cases. If you don't want to download the object, you may want to use head-object:
aws s3api head-object --bucket <bucket-name> --key <keyname>
The output is the same as in case of get-object.