boto3 generate_presigned_url with SSE encryption

Question

I am looking for examples to generate presigned url using boto3 and sse encryption.

Here is my code so far

s3_client = boto3.client('s3',
                                  region_name='ap-south-1',
                                  endpoint_url='http://s3.ap-south-1.amazonaws.com',
                                  config=boto3.session.Config(signature_version='s3v4'),
                                  )
        try:
            response = s3_client.generate_presigned_url('put_object',
                                                        Params={'Bucket': bucket_name,
                                                                'Key': object_name},
                                                        ExpiresIn=expiration)
        except ClientError as e:
            logging.error("In client error exception code")
            logging.error(e)
            return None

I am struggling to find the right parameters to use SSE encryption. I am able to use PUT call to upload a file. I would also like to know the headers to use from the client side to adhere to sse encryption.

Answer 1

import boto3

access_key = "..."
secret_key = "..."
bucket = "..."
s3 = boto3.client('s3',
              aws_access_key_id=access_key,
              aws_secret_access_key=secret_key)
return(s3.generate_presigned_url(
    ClientMethod='get_object',
    Params={
        'Bucket': bucket,
        'Key': filename,
        'SSECustomerAlgorithm': 'AES256',
    }
))

Also add the header:-

'x-amz-server-side-encryption': 'AES256' 

in the front end code while calling the presigned url

Answer 2

You can add Conditions to the pre-signed URL that must be met for the upload to be valid. This could probably include x-amz-server-side-encryption.

See: Creating a POST Policy - Amazon S3

Alternatively, you could add a bucket policy that denies any request that is not encrypted.

See: How to Prevent Uploads of Unencrypted Objects to Amazon S3 | AWS Security Blog