I recall trying a couple of different times to check if an S3 bucket had server-side encryption enabled, as well as how to encrypt an already existing bucket that doesn't have encryption enabled. Obviously, if the data you're encrypting is sensitive, you'll want to invalidate the data in the unencrypted key and re-create it, then store that secret or credential information in a new, encrypted bucket.

Check for Existing Bucket

The aws s3 commands don't have an option for this, but the aws s3api command does. Simply run:

aws s3api head-object --bucket YOURBUCKET --key KEYTOOBJECT

You'll get JSON output that includes the "ServerSideEncryption" key (set to "AWS256") if your bucket is encrypted.

Encrypt Existing Bucket In Place

If you need to encrypt a bucket that already exists, you can run

aws s3 cp --sse s3://YOURBUCKET/KEYTOOBJECT s3://YOURBUCKET/KEYTOOBJECT