How do I troubleshoot the error "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4" when I try to access S3 objects that are encrypted with AWS KMS managed keys?
I'm trying to access Amazon Simple Storage Service (Amazon S3) objects that are encrypted with AWS Key Management Service (AWS KMS). I get the error "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4".
Resolution
You get this error when you access an AWS KMS-encrypted object using a signature version that's not AWS Signature Version 4. When you access an S3 object that's encrypted with an AWS KMS key, be sure that all your requests are signed with AWS Signature Version 4.
Be sure that you aren't making an anonymous request
You might get this error when you make an anonymous request. An anonymous request is a request that's not signed with AWS credentials. An example of an anonymous request is downloading an S3 object using the object URL on your browser or a HTTP client. An S3 object URL looks like the following:
https://bucketname.s3.region.amazonaws.com/folder/file.txt
Using an HTTP client such as curl, you can make an anonymous request with a command similar to the following:
curl -vo ./local/path/file.txt https://bucketname.s3.region.amazonaws.com/folder/file.txt
Be sure that you aren't using AWS Signature Version 2
Some S3 REST API endpoints and Regions still support requests that are signed using Signature Version 2. However, it's a best practice to use Signature Version 4 for signing in. For more information, see AWS Signature Version 2 turned off (deprecated) for Amazon S3.
Because some Regions still support Signature Version 2, you can make requests that are signed with Signature Version 2 to buckets in these Regions. However, AWS KMS requires that your requests are signed with Signature Version 4. If you use Signature Version 2 with an AWS KMS-encrypted object, this error appears:
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
To identity the signature version that you used when making requests to objects in your bucket, try the following:
- You can use an AWS CloudTrail event log to identify which API signature version was used to sign a request in Amazon S3.
- You can check if a particular request is using Signature Version 4 by examining the authorization header for the API. The header must contain AWS4-HMAC-SHA256. If you're generating a presigned URL, check if the query parameter contains ?X-Amz-Algorithm=AWS4-HMAC-SHA256. If you can't find this query parameter, modify the code to use Signature Version 4.
Note: For requests that specify AWS KMS managed keys, you must use Secure Sockets Layer (SSL) or Transport Layer Security (TLS). If you make a request that specifies AWS KMS keys over an unsecure connection (without SSL/TLS), then you get the following error:
An error occurred (InvalidArgument) when calling the <operation_performed> operation: Requests specifying Server Side Encryption with AWS KMS managed keys must be made over a secure connection.
Related information
Relevant content
- Accepted Answer
asked 4 years ago - AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
