S3 Bucket Keys & IAM Policy Integration

Hello,

Please note that if you plan to enable S3 Bucket Keys, then before that you need to update your AWS Identity and Access Management (IAM) policies or AWS KMS key policies. If your existing AWS Identity and Access Management (IAM) policies or AWS KMS key policies use your object Amazon Resource Name (ARN) as the encryption context to refine or limit access to your KMS key, these policies won't work with an S3 Bucket Key. S3 Bucket Keys use the bucket ARN as encryption context. Before you enable an S3 Bucket Key, update your IAM policies or AWS KMS key policies to use your bucket ARN as the encryption context.

If you use SSE-KMS and enable an S3 Bucket Key, the bucket ARN is used as the encryption context.

arn:aws:s3:::bucket_ARN

As an example, when S3 Bucket Keys are enabled then the encryption context in the IAM Policy statement should look as follows :

{ "Action":[ "kms:*" >> You can restrict the KMS actions as per your use case. ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.bucket-region.amazonaws.com", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ] } }, "Resource":[ "List of the AWS KMS key ARNs that are used to encrypt objects." ] }

As you can see in the above statement, Encryption Context is specified on bucket ARN and not Object ARN. You need to make similar changes in your IAM Policy. One of the example policies are mentioned in S3 replication use cases where the IAM policy grants the necessary permissions to replicate objects with S3 Bucket Keys. Please refer the 'Example – Replicating objects with S3 Bucket Keys' section in the following link. : https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replications

Further, please note that the changes are made for Encryption Context and KMS actions are considered for this use case. No S3 actions need to be updated and hence these would restrict the users/roles from creating the buckets which was one of your concerns.