- Newest
- Most votes
- Most comments
If you would have permission to decrypt the KMS key and access to s3 bucket/object, you'll be able to access the file without any issue. If a user who has access to this s3 bucket/object but doesn't have access to KMS key, he would be access denied while trying to Getobject.
Refer this re:Post Knowledge Center Article.
Hope this clarifies your doubt. Comment here if you have additional questions, happy to assist.
Abhishek
Encryption Process:
You use SSEKMSKeyId during putObject to specify the KMS key for encryption. S3 encrypts the uploaded file data "at rest" using the provided KMS key. This means the data is encrypted on S3's servers. Crucially, S3 stores the information about the KMS key used for encryption along with the object itself. Decryption Process:
When you call getObject on the encrypted object, S3 retrieves the necessary information about the KMS key from the object's metadata. S3 automatically decrypts the object data using the retrieved KMS key before returning it to you. Why SSEKMSKeyId Isn't Needed in getObject:
Since S3 stores the KMS key information with the object, you don't need to include SSEKMSKeyId again during getObject. S3 already knows which key to use for decryption.
Relevant content
- asked a year ago
- asked 9 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago