I want my S3 bucket to store only objects encrypted by my KMS key. How can I do that?

3 minute read
1

I want my Amazon Simple Storage Service (Amazon S3) bucket to store only objects that are encrypted by an AWS Key Management Service (AWS KMS) key from my AWS account. How can I be sure that only those objects can be uploaded to my bucket?

Short description

Use Amazon S3 default encryption to be sure that objects uploaded without encryption headers are encrypted by AWS KMS before they're stored in your S3 bucket. Encryption headers are headers such as x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id. Then, use the bucket policy to be sure that uploaded objects are encrypted using AWS KMS with the AWS KMS key ID from your AWS account.

Note: To upload an object encrypted by an AWS KMS key, the key and the S3 bucket must be in the same AWS Region.

Resolution

Amazon S3 default encryption

Follow these steps to set your bucket's Amazon S3 default encryption to AWS KMS using the Amazon S3 console:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Properties view.
  4. Choose Default encryption, then select AWS-KMS.
  5. Under AWS KMS key, choose your AWS KMS Key.
  6. Under Bucket Key, choose Enable. This setting allows you to use Amazon S3 Bucket Keys.
  7. Choose Save.

Note: To turn on Amazon S3 default encryption using the REST API, AWS Command Line Interface (AWS CLI), or an AWS SDK, see Turning on Amazon S3 default bucket encryption.

Bucket policy

Follow these steps to configure your bucket policy to deny upload requests that use another encryption setting (AES-256). Or, requests that use AWS KMS encryption but contain a key ID that's not from your AWS account:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Permissions view.
  4. Choose Bucket Policy.
  5. Enter a bucket policy similar to the following:
    Note: Replace bucketname with the name of your bucket. Replace us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab with your AWS Region, AWS account ID, and AWS KMS Key ID.
{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "RequireKMSEncryption",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucketname/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "RequireSpecificKMSKey",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::samplebucketname/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
      }
    }
  ]
}

After you add this bucket policy to your S3 bucket, you must include the headers x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id when uploading objects to your S3 bucket. For more information, see Request syntax.


Related information

How Amazon Simple Storage Service (Amazon S3) uses AWS KMS

Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys

AWS OFFICIAL
AWS OFFICIALUpdated a year ago