By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Cannot access encrypted files from RDS in S3 bucket

0

I export data from an Aurora Postgres instance to S3 via the aws_s3.query_export_to_s3 function. The destination bucket does not have default encryption enabled. When I try to download one of the files I get the following error:

The ciphertext refers to a customer mast3r key that does not exist, does not exist in this region, or you are not allowed to access.

Note: I had to change the word mast3r because this forum doesn't allow me to post it as it is a "non-inclusive" word...

The reasons seems to be that the files got encrypted with the AWS managed RDS key which has the following policy:

{
    "Version": "2012-10-17",
    "Id": "auto-rds-2",
    "Statement": [
        {
            "Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "123456789",
                    "kms:ViaService": "rds.eu-central-1.amazonaws.com"
                }
            }
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            },
            "Action": [
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "kms:RevokeGrant"
            ],
            "Resource": "*"
        }
    ]
}

I assume that the access doesn't work because of the ViaService condition when trying to decrypt the file via S3.

I tried to access to files with the root user instead of an IAM user and it works. Is there any way to get access with an IAM user? As far as I know, you cannot modify the policy of an AWS managed key. I also don't understand why the root user can decrypt the file as the policy doesn't explicitly grant decrypt permissions to it other than the permissions when called from RDS.

Topics
StorageSecurity, Identity, & ComplianceDatabase
Tags
Amazon Simple Storage ServiceAWS Key Management ServiceAurora PostgreSQL
Language
English
AWS-User-1526643
asked a year ago1192 views
1 Answer
0
Accepted Answer

aws_s3.query_export_to_s3 uses the AWS managed Key aws/s3 to encrypt the exported Data (rather than aws/rds listed in the question). The policy for that Key is as follows:

{
    "Version": "2012-10-17",
    "Id": "auto-s3-2",
    "Statement": [
        {
            "Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "123456789012",
                    "kms:ViaService": "s3.eu-central-1.amazonaws.com"
                }
            }
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "kms:Describe*",
                "kms:Get*",
                "kms:List*"
            ],
            "Resource": "*"
        }
    ]
}

According to this policy, any IAM principal of your account can use that key do Encrypt, Decrypt etc. via the S3 service (first policy statement), while direct usage is restricted to Metadata only operations (second policy statement). So if your IAM principal resides in the same account as the key and has access to the S3 objects via GetObject, they should also be able to decrypt and download the exported data. Reasons I can think of that could prevent this are

  1. You try to access the objects from a principal in another Account (that has access to the data e.g. via a cross-account role or bucket policy) but cannot access the AWS managed key aws/s3 to decrypt.
  2. There is an explicit Deny for your IAM principal that prevents your IAM principal from accessing the key.

Notice that there is no need for explicit denies in that case, as an IAM principal has no means of directly using aws/s3 to Decrypt without going through S3. There is also no possibility for any IAM principal (even root) to obtain this priviledges for that particular key, as

  1. the key policy of an AWS managed key such as aws/s3 can not be altered and
  2. the key policy of aws/s3 does not allow CreateGrant to delegate access to the key (even for the root user).
AWS
mmeidlin
answered a year ago
  • AWS-User-1526643
    a year ago

    I was able to debug this with CloudTrail. The log event there for the DECRYPT request was much more helpful than the error in S3 as it says kms:Decrypt on resource: arn:aws:kms:eu-central-1:[account_id]:key/[key_id] with an explicit deny in an identity-based policy. We have a policy which enforces that AWS API requests from user accounts must come from specific IPs. However, there was no exception added for internal calls coming from AWS services as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html Since S3 makes an internal request to KMS using the identity of the IAM principal that made the initial S3 Get request it was affected by the deny policy. Adding {"aws:ViaAWSService": "false"} to the policy conditions solved the issue.

  • rePost-User-0216499
    a year ago

    I'm in a situation where I'm trying to access the exported data from a principal in another account as you described in your first point. Does this mean that it's not possible? Do you have any suggestions for workarounds?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content