By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM role for S3 encrypted upload only

0

Hi All,

I have an SFTP server that receives data files on a daily basis.
I would like to copy these files to S3 and encrypt them for perpetual storage.
My preference is that the IAM role granted to the SFTP server only has permissions to encrypt, not decrypt the files.
From the documentation, I should be able to achieve this by specifying a key on upload to S3 and ensuring the IAM role for the SFTP server has only the encrypt permission.

My IAM policies below:

Firstly, S3 allow all (Just for testing):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

KMS Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Encrypt",
            "Resource": "arn:aws:kms:ap-southeast-2:<account-id>:key/<key-id> "
        }
    ]
}

When I try and copy a file to S3 using

aws s3 cp test.txt s3://<folderName>/test.txt --sse aws:kms --sse-kms-key-id <key-id>

I get an error message:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

If I manually go into the KMS policy and allow the IAM user permissions, then the IAM user can encrypt & decrypt the file which is not what I want.

Has anyone managed to achieve this?

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
WilliamGebers
asked 5 years ago544 views
1 Answer
0

For anyone else who wants to achieve this. I was missing a single permission "kms:GenerateDataKey". Full policy below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey",
				"s3:PutObject",
                "s3:ListBucket",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<BucketName>",
                "arn:aws:s3:::<BucketName>/*",
                "arn:aws:kms:<Region>:<AccountID>:key/<KeyID>"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:HeadBucket",
            "Resource": "*"
        }
    ]
}
WilliamGebers
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content