2 Answers
- Newest
- Most votes
- Most comments
1
Yes, you are correct in order for successfully uploading and downloading the SSE-KMS encrypted objects from S3 bucket you would need "kms:Encrypt" , "kms:Decrypt" and "kms:GenerateDataKey" permissions inside the IAM role.
https://repost.aws/knowledge-center/s3-large-file-encryption-kms-key
0
For anyone else who wants to achieve this. I was missing a single permission "kms:GenerateDataKey". Full policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey",
"s3:PutObject",
"s3:ListBucket",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<BucketName>",
"arn:aws:s3:::<BucketName>/*",
"arn:aws:kms:<Region>:<AccountID>:key/<KeyID>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:HeadBucket",
"Resource": "*"
}
]
}
answered 6 years ago
Relevant content
- asked a month ago
- asked 9 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago