Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Is it possible to access to a public image in an KMS encrypted bucket without signature

0

Hi everyone,

we tried to encrypt our S3 bucket with SSE-KMS key provided by AWS and everything is working fine except when we try to access images uploaded with ACL public-read. We get this error:

<Error>
<Code>InvalidArgument</Code>
<Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7DTKMXMNF96AK54C</RequestId>
<HostId>h97Cnkid3HVkjoJ/iZR2FniRNz4Gm59eqUlnSU2KNyzwhC7FtDyVnA3NVS7nKx0CtGECI1YnlzI=</HostId>
</Error>

It looks like a nonsense to have public encrypted objects but we use only one bucket for our application and some objects can be public while some other are not. We do not know how to generate a link that make the image accessible to everyone and that will not expire.

Can anybody help on this ?

Regards Quentin

  • AWS-User-9602894
    hace 2 años

    Quentin, Adding a comment here related to data classification and using separate buckets. It's best practice to separate data with different data classifications for a variety of reasons (e.g. security, life-cycle management, etc). Revisiting this decision could improve your security and operating model.

Temas
AlmacenamientoSeguridad, identidad y cumplimiento
Etiquetas
Amazon Simple Storage ServiceAWS Key Management Service
Idioma
English
QuentinD-Capsens
preguntada hace 2 años3324 visualizaciones
3 Respuestas
2

All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).

AWS
mike
respondido hace 2 años
AWS
EXPERTO
Hernito
revisado hace 2 años
0

Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects

QuentinD-Capsens
respondido hace 2 años
  • Chenjie Ni
    hace 2 años

    You CAN technically unencrypt an object in a bucket where the default bucket encryption is turned on using the AWS web console ONLY. If anyone knows a way to achieve this using API, please let me know.

0

All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version

AWS
AWS-User-9602894
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante