Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is it possible to access to a public image in an KMS encrypted bucket without signature

0

Hi everyone,

we tried to encrypt our S3 bucket with SSE-KMS key provided by AWS and everything is working fine except when we try to access images uploaded with ACL public-read. We get this error:

<Error>
<Code>InvalidArgument</Code>
<Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7DTKMXMNF96AK54C</RequestId>
<HostId>h97Cnkid3HVkjoJ/iZR2FniRNz4Gm59eqUlnSU2KNyzwhC7FtDyVnA3NVS7nKx0CtGECI1YnlzI=</HostId>
</Error>

It looks like a nonsense to have public encrypted objects but we use only one bucket for our application and some objects can be public while some other are not. We do not know how to generate a link that make the image accessible to everyone and that will not expire.

Can anybody help on this ?

Regards Quentin

  • AWS-User-9602894
    vor 2 Jahren

    Quentin, Adding a comment here related to data classification and using separate buckets. It's best practice to separate data with different data classifications for a variety of reasons (e.g. security, life-cycle management, etc). Revisiting this decision could improve your security and operating model.

Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS-Schlüsselverwaltungsservice
Sprache
English
QuentinD-Capsens
gefragt vor 2 Jahren3323 Aufrufe
3 Antworten
2

All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).

AWS
mike
beantwortet vor 2 Jahren
AWS
EXPERTE
Hernito
überprüft vor 2 Jahren
0

Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects

QuentinD-Capsens
beantwortet vor 2 Jahren
  • Chenjie Ni
    vor 2 Jahren

    You CAN technically unencrypt an object in a bucket where the default bucket encryption is turned on using the AWS web console ONLY. If anyone knows a way to achieve this using API, please let me know.

0

All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version

AWS
AWS-User-9602894
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt