How to enable S3 server-side encryption for existing objects

This is part of our cloud security series.
Do you have unencrypted S3 objects lying around? Don't! Here's the safe way to retroactively enable server-side encryption:
Step 1: Make a backup bucket
AWS management console is easiest. Call it [my-bucket]-backup
.
Step 2: Copy one way
require 'aws-sdk'
s3 = Aws::S3::Resource.new(region: 'us-east-1', access_key_id: ACCESS_KEY_ID, secret_access_key: SECRET_ACCESS_KEY)
b1 = s3.bucket('my-bucket')
b2 = s3.bucket('my-bucket-backup')
# or no prefix if you want everything
b1.objects(prefix: 'xyz').each do |object_summary|
o1 = b1.object object_summary.key
o2 = b2.object object_summary.key
o1.copy_to o2, server_side_encryption: 'AES256'
end
Step 3: Sanity check
Now look at [my-bucket]-backup
- it's probably 100% perfect, but just reassure yourself.
Step 4: Copy back over
There are 2 changes here, so you might want to copy-paste:
b2.objects.each do |object_summary|
o1 = b1.object object_summary.key
o2 = b2.object object_summary.key
o2.copy_to o1, server_side_encryption: 'AES256'
end
Step 5: (optional) Clean up
Delete [my-bucket]-backup
.