When performing operations in an S3 bucket with KMS encryption enabled, the related KMS operations are performed in the context of the IAM principal that initiated the S3 operation .
For example, if you upload an object using the console while logged in as an IAM user, a
kms:GenerateDataKey request will be sent to KMS using the IAM user principal, not a service role. The principal being used will still need permission to perform
kms:GenerateDataKey in the IAM policy, as well as the key policy.
By default, a customer managed key policy will allow access to the key from any principal in the account, and an AWS managed S3 KMS key allows any principal in the account when calling via S3 (using
A service role would only be required when S3 is performing the operations itself, e.g. replication. In this case, the replication role would need to be allowed these same permissions .
- AWS OFFICIALUpdated 5 months ago
- Why are cross-account users getting Access Denied errors when they try to access S3 objects encrypted by a custom AWS KMS key?AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?AWS OFFICIALUpdated a year ago
- EXPERTpublished a year ago