# Creating a Batch Operations job to update object encryption
<a name="batch-ops-update"></a>

To update the server-side encryption type of more than one Amazon S3 object with a single request, you can use S3 Batch Operations. You can use S3 Batch Operations through the Amazon S3 console, Amazon Command Line Interface (Amazon CLI) Amazon SDKs, or the Amazon S3 REST API.

## Using the Amazon CLI
<a name="batch-ops-example-cli-update-job"></a>

To run the following commands, you must have the Amazon CLI installed and configured. If you don’t have the Amazon CLI installed, see [Install or update to the latest version of the Amazon CLI](https://docs.amazonaws.cn//cli/latest/userguide/getting-started-install.html) in the *Amazon Command Line Interface User Guide*.

Alternatively, you can run Amazon CLI commands from the console by using Amazon CloudShell. Amazon CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the Amazon Web Services Management Console. For more information, see [What is CloudShell?](https://docs.amazonaws.cn//cloudshell/latest/userguide/welcome.html) and [Getting started with Amazon CloudShell](https://docs.amazonaws.cn//cloudshell/latest/userguide/getting-started.html) in the *Amazon CloudShell User Guide*.

**Example 1 – Create a Batch Operations job that updates encrypted objects from one Amazon KMS key to another KMS key**  
The following example shows how to create an S3 Batch Operations job that updates the encryption settings for multiple objects in your general purpose bucket. This command creates a job that changes objects encrypted with one Amazon Key Management Service (Amazon KMS) key to use a different KMS key. This job also generates and saves a manifest of the affected objects and creates a report of the results. To use this command, replace the `{{user input placeholders}}` with your own information.  

```
aws s3control create-job --account-id {{account-id}} \
--no-confirmation-required \
--operation '{"S3UpdateObjectEncryption": {  "ObjectEncryption": { "SSEKMS": { "KMSKeyArn": "{{KMS-key-ARN-to-apply}}", "BucketKeyEnabled": false  }  }  } }' \
--report '{ "Enabled": true, "Bucket": "{{report-bucket-ARN}}",  "Format": "Report_CSV_20180820", "Prefix": "report", "ReportScope": "AllTasks" }' \
--manifest-generator '{ "S3JobManifestGenerator": { "ExpectedBucketOwner": "{{account-id}}", "SourceBucket": "{{source-bucket-ARN}}", "EnableManifestOutput": true, "ManifestOutputLocation": { "Bucket": "{{manifest-bucket-ARN}}", "ManifestFormat": "S3InventoryReport_CSV_20211130", "ManifestPrefix": "{{manifest-prefix}}" }, "Filter": {   "MatchAnyObjectEncryption": [{ "SSEKMS": { "KmsKeyArn": "{{kms-key-ARN-to-match}}" } }] } } }' \
--priority 1 \
--role-arn {{batch-operations-role-ARN}}
```
For best performance, we recommend using the `KmsKeyArn` filter in conjunction with other object metadata filters, such as `MatchAnyPrefix`, `CreatedAfter`, or `MatchAnyStorageClass`.

**Example 2 – Create a Batch Operations job that updates SSE-S3 encrypted objects to SSE-KMS**  
The following example shows how to create an S3 Batch Operations job that updates the encryption settings for multiple objects in your general purpose bucket. This command creates a job that changes objects encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3) to use server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS) instead. This job also generates and saves a manifest of the affected objects and creates a report of the results. To use this command, replace the `{{user input placeholders}}` with your own information.  

```
aws s3control create-job --account-id {{account-id}} \
--no-confirmation-required \
--operation '{"S3UpdateObjectEncryption": {  "ObjectEncryption": { "SSEKMS": { "KMSKeyArn": "{{KMS-key-ARN-to-apply}}", "BucketKeyEnabled": false  }  }  } }' \
--report '{ "Enabled": true, "Bucket": "{{report-bucket-ARN}}",  "Format": "Report_CSV_20180820", "Prefix": "report", "ReportScope": "AllTasks" }' \
--manifest-generator '{ "S3JobManifestGenerator": { "ExpectedBucketOwner": "{{account-id}}", "SourceBucket": "{{source-bucket-ARN}}", "EnableManifestOutput": true, "ManifestOutputLocation": { "Bucket": "{{manifest-bucket-ARN}}", "ManifestFormat": "S3InventoryReport_CSV_20211130", "ManifestPrefix": "{{manifest-prefix}}" }, "Filter": {   "MatchAnyObjectEncryption": [{ "SSES3": {} }] } } }' \
--priority 1 \
--role-arn {{batch-operations-role-ARN}}
```
For best performance, we recommend using the `KmsKeyArn` filter in conjunction with other object metadata filters, such as `MatchAnyPrefix`, `CreatedAfter`, or `MatchAnyStorageClass`.