How can I configure my S3 bucket to store only objects encrypted by my KMS key?

3 minute read
1

I want my Amazon Simple Storage Service (Amazon S3) bucket to store only objects that are encrypted by an AWS Key Management Service (AWS KMS) key from my AWS account. How can I be sure that only those objects can be uploaded to my bucket?

Short description

Use Amazon S3 default encryption to be sure that objects uploaded without encryption headers (such as x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id) are encrypted by AWS KMS before they are stored in your S3 bucket. Then, use the bucket policy to be sure that objects with another encryption setting (AES-256) can't be uploaded, and that objects uploaded with AWS KMS encryption contain a key ID from your AWS account.

Note: To upload an object encrypted by an AWS KMS key, the key and the S3 bucket must be in the same AWS Region.

Resolution

Amazon S3 default encryption

Follow these steps to set your bucket's Amazon S3 default encryption to AWS KMS using the Amazon S3 console:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Properties view.
  4. Choose Default encryption, then select AWS-KMS.
  5. Choose Save.

Note: To enable Amazon S3 default encryption using the REST API, AWS Command Line Interface (AWS CLI), or an AWS SDK, see Configuring default encryption.

Bucket policy

Follow these steps to configure your bucket policy to deny upload requests that either use another encryption setting (AES-256), or that use AWS KMS encryption but contain a key ID that's not from your AWS account:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Permissions view.
  4. Choose Bucket Policy.
  5. Enter a bucket policy similar to the following:
    Note: Replace samplebucketname with the name of your bucket, and replace us-east-1:111122223333 with the correct AWS Region and your AWS account ID.
{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenySSE-S3",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::samplebucketname/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
  {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::samplebucketname/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
                }
            }
        }
    ]
}

Related information

How Amazon Simple Storage Service (Amazon S3) uses AWS KMS

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago