{"id":4194,"date":"2020-10-23T15:56:33","date_gmt":"2020-10-23T20:56:33","guid":{"rendered":"https:\/\/dev.iachieved.it\/iachievedit\/?p=4194"},"modified":"2020-10-23T15:56:33","modified_gmt":"2020-10-23T20:56:33","slug":"encrypting-existing-s3-buckets","status":"publish","type":"post","link":"https:\/\/dev.iachieved.it\/iachievedit\/encrypting-existing-s3-buckets\/","title":{"rendered":"Encrypting Existing S3 Buckets"},"content":{"rendered":"<p>Utilizing encryption <em>everywhere<\/em>, particularly in cloud environments, is a solid idea that just makes good sense.  AWS S3 makes it easy to create buckets whose objects are encrypted by default, but what if you didn&#8217;t initially configure it that way and already have objects uploaded?<\/p>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/encryption_disabled.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4196 size-full\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/encryption_disabled.png\" alt=\"\" width=\"976\" height=\"739\" \/><\/a><\/p>\n<p>It&#8217;s easy enough to change the default encryption setting of the bucket. Select the <em>Default Encryption<\/em> box and choose one of the encryption options. I prefer the simplicity of choosing the AWS-managed keys for AES-256. Click <em>Save<\/em>.<\/p>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/select256.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4198\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/select256.png\" alt=\"\" width=\"553\" height=\"579\" \/><\/a><\/p>\n<p>You can now see that the default encryption setting for the bucket is AES-256.  That is, any new objects uploaded to the bucket will automatically be encrypted.<\/p>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/256selected.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4200\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/256selected.png\" alt=\"\" width=\"315\" height=\"265\" \/><\/a><\/p>\n<p>Now, we talked about new objects uploaded to the bucket, but what about existing objects?  That&#8217;s where the catch is:  changing the default encryption of the bucket <a href=\"https:\/\/aws.amazon.com\/premiumsupport\/knowledge-center\/s3-existing-objects-default-encryption\/\">does not affect existing objects<\/a>!<\/p>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/stillnotencrypted.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4201\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/stillnotencrypted.png\" alt=\"\" width=\"686\" height=\"668\" \/><\/a><\/p>\n<p>To remedy this one must <em>copy<\/em> all of the objects in the S3 bucket &#8220;onto&#8221; themselves. Yes, that&#8217;s really how it is done. This can be accomplished easily using the application <code>s3cmd<\/code>.  <code>s3cmd<\/code> can be installed using <code>apt-get<\/code> on Debian-based systems, or <code>brew<\/code> on macOS.  For more installation options of <code>s3cmd<\/code> see <a href=\"https:\/\/s3tools.org\/s3cmd\">S3tools.org<\/a>.<\/p>\n<p>With <code>s3cmd cp<\/code> you provide the target and destination buckets.  In this case the target and destination are the same.  Make sure and include the <code>--recursive<\/code> option (similar to using <code>cp -R<\/code> to copy directories).<\/p>\n<pre>s3cmd cp s3:\/\/it.iachieved.backgrounds s3:\/\/it.achieved.backgrounds --recursive\n<\/pre>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/s3cmd_cp.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4203\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/s3cmd_cp.png\" alt=\"\" width=\"699\" height=\"98\" \/><\/a><\/p>\n<p>Reloading an existing object&#8217;s overview in the S3 console shows that the object is now encrypted!<\/p>\n<p><a href=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/nowencrypted.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4204\" src=\"https:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2020\/10\/nowencrypted.png\" alt=\"\" width=\"698\" height=\"664\" \/><\/a><\/p>\n<p>And remember: <em>future<\/em> objects uploaded to this S3 bucket will be encrypted and that you only need to do the copy-over method once.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Utilizing encryption everywhere, particularly in cloud environments, is a solid idea that just makes good sense. AWS S3 makes it easy to create buckets whose objects are encrypted by default, but what if you didn&#8217;t initially configure it that way and already have objects uploaded? It&#8217;s easy enough to change the default encryption setting of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4200,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74,21,106],"tags":[],"class_list":["post-4194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws","category-devops","category-s3"],"_links":{"self":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/4194"}],"collection":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/comments?post=4194"}],"version-history":[{"count":15,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/4194\/revisions"}],"predecessor-version":[{"id":4215,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/posts\/4194\/revisions\/4215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/media\/4200"}],"wp:attachment":[{"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/media?parent=4194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/categories?post=4194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dev.iachieved.it\/iachievedit\/wp-json\/wp\/v2\/tags?post=4194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}