Amazon S3 SSE-C encryption of file already on S3

Question

I have an application running since many time that uploads files (images) on S3 storage.

Now I've been requested to update this application and upload file using SSE-C encryption (Server Side Encryption with Customer provided key). So I did it.

I'm also able to upload SSE-C encrypted files using aws cli.

What I need now, and here is my question, is to find a way to apply SSE-C encryption to earlier files already on S3 without SSE-C encryption.

Could someone explain me if and how this can be accomplished or point me to some doc or support page in order to find a solution?

One (maybe inefficient) way I found is doing the following for each file:

1. copy filename to filename.encrypted applying the SSE-C encryption
2. move filename.encrypted to filename

Is this the only way to do it or there is a better one?

NOTES:

• Since I have many many files I obviously excluded the option to download the file and then upload again with SSE-C encryption because it'll be too slow and too expensive.
• A solution that let apply the SSE-C without data transfert from and back to S3 is the one I'm looking for.

Thank you very much for any feedback on this.

Answer 1

You can apply encryption to already-existing objects by simply copying the object on top of itself:

aws s3 cp s3://bucket/foo.txt s3://bucket/foo.txt --sse-c --sse-c-key fileb://key.bin

This works as long as something (eg the encryption) is changing.

I got the --sse-c syntax from: How to supply a key on the command line that's not Base 64 encoded