#!/usr/bin/env bash
# Spot-check whether a bucket blocks SSE-C and whether encryption config is set.
# Context: April 2026 S3 default disable of SSE-C on new / non-SSE-C accounts.
# Usage: ./audit-ssec-inventory.sh <bucket> <region>

set -euo pipefail

BUCKET="${1:?bucket required}"
REGION="${2:-us-east-1}"

echo "== GetBucketEncryption for s3://${BUCKET} =="
aws s3api get-bucket-encryption --bucket "$BUCKET" --region "$REGION" || {
  echo "No encryption config returned (unexpected for most post-2023 buckets)."
  exit 1
}

echo
echo "== Tip: use S3 Inventory or Athena over inventory for EncryptionStatus = SSE-C =="
echo "Generate inventory CSV then filter, or CloudTrail Lake query on PutObject SSE-C headers."
echo
echo "== Optional probe (will 403 if SSE-C is blocked) =="
echo "aws s3api put-object --bucket ${BUCKET} --key probe-ssec.txt --body /etc/hosts \\"
echo "  --sse-customer-algorithm AES256 --sse-customer-key \$(openssl rand -base64 32)"
