Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?
3 minute read
I want to download stored objects from Amazon Simple Storage Service (Amazon S3) that use server-side encryption with AWS Key Management Service-managed keys (SSE-KMS).
You don't need to specify the AWS Key Management Service (AWS KMS) key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.
When a user sends a GET request, Amazon S3 must check for the appropriate authorization. Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the object's key. If the IAM user or role and key belong to the same AWS account, then decrypt permissions must be granted on the key policy.
Note: For IAM users or roles that belong to a different account than the bucket, the bucket policy must also grant the user access to objects. For example, if the user needs to download from the bucket, then the user must have permission to the s3:GetObject action on the bucket policy.
After you have the permission to decrypt the key, you can download S3 objects encrypted with the key using the AWS Command Line Interface (AWS CLI). Run a command similar to the following: