#!/usr/bin/env ruby## Script to encrypt the contents of an entire S3 bucket#

1. #!/usr/bin/env ruby
2. #
3. # Script to encrypt the contents of an entire S3 bucket
4. #
5. # This works by copying each object in the bucket onto
6. # itself while modifying its server_side_encryption attribute
7. #
8. #
9. ##############################################################
10.  
11. require 'aws-sdk'
12. require 'optparse'
13.  
14. def parse_options
15. options = {}
16. OptionParser.new do |opts|
17. opts.banner = "Usage: bucket_encrypter.rb [options]"
18. opts.on('-b', '--bucket NAME', 'REQUIRED - Name of the bucket to encrypt the contents of') { |v| options[:bucket] = v }
19. opts.on('-r', '--region NAME', 'REQUIRED - Region in which the bucket to be encrypted is located') { |v| options[:region] = v }
20. opts.on('-k', '--access-key KEY', 'Access Key ID AWS credential') { |v| options[:access_key_id] = v }
21. opts.on('-s', '--secret-access-key KEY', 'Secret Access Key AWS credential') { |v| options[:secret_access_key] = v }
22. opts.on('-n', '--batch-size NUMBER', 'Size of batches to retrieve from bucket. Defaults to 100') { |v| options[:batch_size] = v }
23. opts.on('-c', '--cipher NAME', 'Method with which the objects will encrypted. Accepts aws:kms or AES256. Defaults to AES256') { |v| options[:cipher] = v }
24. opts.on('-v', '--verbose', 'Output more information. Useful for debugging or if you want to be sure things are actually working') { |v| options[:verbose] = true }
25. if options[:bucket].nil? || options[:region].nil?
26. puts opts
27. exit 1
28. end
29. end.parse!
30.  
31. options[:batch_size] = 100 if options[:batch_size].nil?
32. options[:cipher] = "AES256" if options[:cipher].nil?
33. options
34. end
35.  
36. class BucketEncrypter
37. def initialize(opts)
38. sdk_client_option_keys = %w( access_key_id secret_access_key region ).map(&:to_sym)
39. sdk_client_options = Hash[sdk_client_option_keys.map {|k| [k, opts[k]] unless opts[k].nil? }.compact]
40. @s3_client = Aws::S3::Client.new(sdk_client_options)
41. @batch_size = opts[:batch_size]
42. @cipher = opts[:cipher]
43. @bucket_name = opts[:bucket]
44. @verbose_output = !!opts[:verbose]
45. end
46.  
47. def bucket_objects
48. @bucket_objects ||= fetch_objects # only fetch the results the first time
49. end
50.  
51. def refetch_objects
52. @bucket_objects = fetch_objects # unless we decide to fetch again explicitly
53. end
54.  
55. def encrypt_all_objects
56. bucket_objects.each_with_index do |s3_object, i|
57. @s3_client.copy_object({
58. bucket: @bucket_name,
59. key: s3_object.key,
60. copy_source: "#{@bucket_name}/#{s3_object.key}",
61. server_side_encryption: @cipher
62. })
63. puts "Encrypted #{i+1} of #{bucket_objects.count} (#{s3_object.key})" if @verbose_output
64. end
65. end
66.  
67. private
68.  
69. def fetch_objects
70. objects = []
71. continuation_token = nil
72. i = 0
73. begin
74. resp = @s3_client.list_objects_v2(bucket: @bucket_name, continuation_token: continuation_token, max_keys: @batch_size)
75. continuation_token = resp.next_continuation_token
76. objects.push(*resp.contents)
77. puts "Retrieved objects #{i*@batch_size} - #{(i+1)*@batch_size} from #{@bucket_name}" if @verbose_output
78. i+=1
79. end while !continuation_token.nil?
80.  
81. objects
82. end
83. end
84.  
85. BucketEncrypter.new(parse_options).encrypt_all_objects