By using AWS re:Post, you agree to the Terms of Use

Is it possible to access to a public image in an KMS encrypted bucket without signature

0

Hi everyone,

we tried to encrypt our S3 bucket with SSE-KMS key provided by AWS and everything is working fine except when we try to access images uploaded with ACL public-read. We get this error:

<Error>
<Code>InvalidArgument</Code>
<Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7DTKMXMNF96AK54C</RequestId>
<HostId>h97Cnkid3HVkjoJ/iZR2FniRNz4Gm59eqUlnSU2KNyzwhC7FtDyVnA3NVS7nKx0CtGECI1YnlzI=</HostId>
</Error>

It looks like a nonsense to have public encrypted objects but we use only one bucket for our application and some objects can be public while some other are not. We do not know how to generate a link that make the image accessible to everyone and that will not expire.

Can anybody help on this ?

Regards Quentin

  • Quentin, Adding a comment here related to data classification and using separate buckets. It's best practice to separate data with different data classifications for a variety of reasons (e.g. security, life-cycle management, etc). Revisiting this decision could improve your security and operating model.

3 Answers
2

All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).

answered 10 months ago
EXPERT
reviewed 10 months ago
0

Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects

answered 10 months ago
  • You CAN technically unencrypt an object in a bucket where the default bucket encryption is turned on using the AWS web console ONLY. If anyone knows a way to achieve this using API, please let me know.

0

All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions