- Newest
- Most votes
- Most comments
OK, it turned out that we have an SCP policy which enforces us to include the x-amz-server-side-encryption header for each s3:PutObject. Since it is not what AWS Transfer family does, we're getting that access denied error. So the solution is to exclude Transfer Family service from that SCP.
have you checked the server logs ? and if you saw below error then You must specify additional permissions in your policy to grant the required AWS Key Management Service (AWS KMS) permissions. For details, you can check below link
https://docs.aws.amazon.com/transfer/latest/userguide/encryption-at-rest.html
ERROR Message="Access denied" Operation=CLOSE Path=/bucket/user/test.txt BytesIn=13 ERROR Message="Access denied"
Could it be the Key Policy does not allow the role?
Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.
I have the same issue with uploading files into SFTP server to S3 bucket getting "Access Denied" error. I can already download existing files successfully from SFTP server which are encrypted in S3 bucket, so the KMS key access works. Also it works with the same configuration in our old AWS account (all KMS permissions granted to IAM role and within KMS key policy). Probably in this old AWS account there were no SCP policies enabled.
Our problem might be caused by our SCP policy as well that enforces x-amz-server-side-encryption header
We also can't upload new files to S3 bucket using AWS console, it only works if we set the hidden option "Properties" -> "Server-side encryption" -> "Specify an encryption key" -> "Use bucket settings for default encryption". Similar when using AWS CLI we have to set the additional params or otherwise we get Access Denied as well: aws s3 cp [...] --server-side-encryption aws:kms aws s3api put-object [...] --sse aws:kms
Relevant content
- asked 6 months ago
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
Yes, I'm getting the following error in the server logs. ERROR Message="Access denied" Operation=CLOSE Path=/sftp2/abc/test.txt BytesIn=194
However, the bucket key is specified in the policy { "Sid": "EncryptionInAWSTransferFamily", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:eu-north-1::key/<key-id>" }
Also, the IAM role that is used for the user is allowed in the AWS KMS key policy.
Advocating this response, a critical piece for anyone with private buckets with default encryption enabled. Key in that article, not heavily emphasized is ensuring the KMS policies are added to BOTH the session policy and server's role/user.