Cannot access encrypted files from RDS in S3 bucket
I export data from an Aurora Postgres instance to S3 via the aws_s3.query_export_to_s3 function. The destination bucket does not have default encryption enabled. When I try to download one of the files I get the following error:
The ciphertext refers to a customer mast3r key that does not exist, does not exist in this region, or you are not allowed to access.
Note: I had to change the word mast3r because this forum doesn't allow me to post it as it is a "non-inclusive" word...
The reasons seems to be that the files got encrypted with the AWS managed RDS key which has the following policy:
{
"Version": "2012-10-17",
"Id": "auto-rds-2",
"Statement": [
{
"Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789",
"kms:ViaService": "rds.eu-central-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}I assume that the access doesn't work because of the ViaService condition when trying to decrypt the file via S3.
I tried to access to files with the root user instead of an IAM user and it works. Is there any way to get access with an IAM user? As far as I know, you cannot modify the policy of an AWS managed key. I also don't understand why the root user can decrypt the file as the policy doesn't explicitly grant decrypt permissions to it other than the permissions when called from RDS.
aws_s3.query_export_to_s3 uses the AWS managed Key aws/s3 to encrypt the exported Data (rather than aws/rds listed in the question). The policy for that Key is as follows:
{
"Version": "2012-10-17",
"Id": "auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "s3.eu-central-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}According to this policy, any IAM principal of your account can use that key do Encrypt, Decrypt etc. via the S3 service (first policy statement), while direct usage is restricted to Metadata only operations (second policy statement). So if your IAM principal resides in the same account as the key and has access to the S3 objects via GetObject, they should also be able to decrypt and download the exported data. Reasons I can think of that could prevent this are
- You try to access the objects from a principal in another Account (that has access to the data e.g. via a cross-account role or bucket policy) but cannot access the AWS managed key
aws/s3to decrypt. - There is an explicit Deny for your IAM principal that prevents your IAM principal from accessing the key.
Notice that there is no need for explicit denies in that case, as an IAM principal has no means of directly using aws/s3 to Decrypt without going through S3. There is also no possibility for any IAM principal (even root) to obtain this priviledges for that particular key, as
- the key policy of an AWS managed key such as
aws/s3can not be altered and - the key policy of
aws/s3does not allowCreateGrantto delegate access to the key (even for the root user).
Relevant questions
Move files from S3 Bucket back to Site
asked 2 months agoHow to read S3 object from encrypted S3 bucket using ebextensions files?
asked 2 years agoencrypted db snapshot restore from S3 not working AWS RDS(mysql) console in an S3 bucket.
asked 2 months agoCannot configure Guardduty 'findings export options' to an S3 bucket
asked 10 days agoCannot access encrypted files from RDS in S3 bucket
Accepted Answerasked 2 months agoDoes S3 same region replication trigger S3 event notifications in the destination bucket?
Accepted Answerasked 3 years agoCan't download file from S3 bucket in another account
asked 2 years agoS3 bucket access on EC2 Instance using boto3
Accepted Answerasked 9 days agoS3 Bucket cannot be reached in GroundTruth Labeling
asked 2 months agoQuerying postgres RDS from Athena
asked a year ago
I was able to debug this with CloudTrail. The log event there for the DECRYPT request was much more helpful than the error in S3 as it says
kms:Decrypt on resource: arn:aws:kms:eu-central-1:[account_id]:key/[key_id] with an explicit deny in an identity-based policy. We have a policy which enforces that AWS API requests from user accounts must come from specific IPs. However, there was no exception added for internal calls coming from AWS services as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html Since S3 makes an internal request to KMS using the identity of the IAM principal that made the initial S3 Get request it was affected by the deny policy. Adding{"aws:ViaAWSService": "false"}to the policy conditions solved the issue.