I recall trying a couple of different times to check if an S3 bucket had server-side encryption enabled, as well as how to encrypt an already existing bucket that doesn't have encryption enabled. Obviously, if the data you're encrypting is sensitive, you'll want to invalidate the data in the unencrypted key and re-create it, then store that secret or credential information in a new, encrypted bucket.
Check for Existing Bucket
aws s3 commands don't have an option for
this, but the
aws s3api command does. Simply run:
aws s3api head-object --bucket YOURBUCKET --key KEYTOOBJECT
You'll get JSON output that includes the "ServerSideEncryption" key (set to "AWS256") if your bucket is encrypted.
Encrypt Existing Bucket In Place
If you need to encrypt a bucket that already exists, you can run
aws s3 cp --sse s3://YOURBUCKET/KEYTOOBJECT s3://YOURBUCKET/KEYTOOBJECT