View a markdown version of this page

Creating a Batch Operations job to update object encryption - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a Batch Operations job to update object encryption

To update the server-side encryption type of more than one Amazon S3 object with a single request, you can use S3 Batch Operations. You can use S3 Batch Operations through the Amazon S3 console, Amazon Command Line Interface (Amazon CLI) Amazon SDKs, or the Amazon S3 REST API.

To run the following commands, you must have the Amazon CLI installed and configured. If you don’t have the Amazon CLI installed, see Install or update to the latest version of the Amazon CLI in the Amazon Command Line Interface User Guide.

Alternatively, you can run Amazon CLI commands from the console by using Amazon CloudShell. Amazon CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the Amazon Web Services Management Console. For more information, see What is CloudShell? and Getting started with Amazon CloudShell in the Amazon CloudShell User Guide.

Example 1 – Create a Batch Operations job that updates encrypted objects from one Amazon KMS key to another KMS key

The following example shows how to create an S3 Batch Operations job that updates the encryption settings for multiple objects in your general purpose bucket. This command creates a job that changes objects encrypted with one Amazon Key Management Service (Amazon KMS) key to use a different KMS key. This job also generates and saves a manifest of the affected objects and creates a report of the results. To use this command, replace the user input placeholders with your own information.

aws s3control create-job --account-id account-id \
--no-confirmation-required \
--operation '{"S3UpdateObjectEncryption": {  "ObjectEncryption": { "SSEKMS": { "KMSKeyArn": "KMS-key-ARN-to-apply", "BucketKeyEnabled": false  }  }  } }' \
--report '{ "Enabled": true, "Bucket": "report-bucket-ARN",  "Format": "Report_CSV_20180820", "Prefix": "report", "ReportScope": "AllTasks" }' \
--manifest-generator '{ "S3JobManifestGenerator": { "ExpectedBucketOwner": "account-id", "SourceBucket": "source-bucket-ARN", "EnableManifestOutput": true, "ManifestOutputLocation": { "Bucket": "manifest-bucket-ARN", "ManifestFormat": "S3InventoryReport_CSV_20211130", "ManifestPrefix": "manifest-prefix" }, "Filter": {   "MatchAnyObjectEncryption": [{ "SSEKMS": { "KmsKeyArn": "kms-key-ARN-to-match" } }] } } }' \
--priority 1 \
--role-arn batch-operations-role-ARN

For best performance, we recommend using the KmsKeyArn filter in conjunction with other object metadata filters, such as MatchAnyPrefix, CreatedAfter, or MatchAnyStorageClass.

Example 2 – Create a Batch Operations job that updates SSE-S3 encrypted objects to SSE-KMS

The following example shows how to create an S3 Batch Operations job that updates the encryption settings for multiple objects in your general purpose bucket. This command creates a job that changes objects encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3) to use server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS) instead. This job also generates and saves a manifest of the affected objects and creates a report of the results. To use this command, replace the user input placeholders with your own information.

aws s3control create-job --account-id account-id \
--no-confirmation-required \
--operation '{"S3UpdateObjectEncryption": {  "ObjectEncryption": { "SSEKMS": { "KMSKeyArn": "KMS-key-ARN-to-apply", "BucketKeyEnabled": false  }  }  } }' \
--report '{ "Enabled": true, "Bucket": "report-bucket-ARN",  "Format": "Report_CSV_20180820", "Prefix": "report", "ReportScope": "AllTasks" }' \
--manifest-generator '{ "S3JobManifestGenerator": { "ExpectedBucketOwner": "account-id", "SourceBucket": "source-bucket-ARN", "EnableManifestOutput": true, "ManifestOutputLocation": { "Bucket": "manifest-bucket-ARN", "ManifestFormat": "S3InventoryReport_CSV_20211130", "ManifestPrefix": "manifest-prefix" }, "Filter": {   "MatchAnyObjectEncryption": [{ "SSES3": {} }] } } }' \
--priority 1 \
--role-arn batch-operations-role-ARN

For best performance, we recommend using the KmsKeyArn filter in conjunction with other object metadata filters, such as MatchAnyPrefix, CreatedAfter, or MatchAnyStorageClass.