AWS S3 CP Command Line Example to Change Encryption keys

The AWS Console allows you to upload files to a bucket and set the server side encryption.  This defaults to AES256.  However, there are times when you may want to encrypt a S3 object using a specific key.  For example, RDS SQL database native restore.   Therefore at times you may need to change the key used to encrypt a S3 object.  In that case, this command line example may prove useful to others.

To change an existing AES256 encrypted object to another encryption key in KMS use the AWS S3 CP command:

aws s3 cp s3://mybucket/test.txt s3://mybucket/test2.txt --sse aws:kms --sse-kms-key-id <key arn>

Because the original file was encrypted with default server side encryption of AES 256 it will automatically assume AES256 and decrypt the file as part of the copy process to re-encrypt with the new key.