s3.Bucket(bucket_name).download_file(key, destination)

I use the above boto3 code to download an S3 object.

The object on S3 that I’m trying to download using the code above is encrypted using KMS encryption.

Will download_file decrypt the object as well while it downloads the same?

>Solution :

If it is using S3 server side encryption, then yes S3 will decrypt it and you download a decrypted file. The download will happen over SSL/TLS so it will be protected by encryption in transit. Note that the IAM role performing the download will need to have decrypt permission on the KMS key as well.

If the file was encrypted using client side encryption, then you would have to decrypt it after download.