By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is it possible to access to a public image in an KMS encrypted bucket without signature

0

Hi everyone,

we tried to encrypt our S3 bucket with SSE-KMS key provided by AWS and everything is working fine except when we try to access images uploaded with ACL public-read. We get this error:

<Error>
<Code>InvalidArgument</Code>
<Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7DTKMXMNF96AK54C</RequestId>
<HostId>h97Cnkid3HVkjoJ/iZR2FniRNz4Gm59eqUlnSU2KNyzwhC7FtDyVnA3NVS7nKx0CtGECI1YnlzI=</HostId>
</Error>

It looks like a nonsense to have public encrypted objects but we use only one bucket for our application and some objects can be public while some other are not. We do not know how to generate a link that make the image accessible to everyone and that will not expire.

Can anybody help on this ?

Regards Quentin

  • AWS-User-9602894
    2 years ago

    Quentin, Adding a comment here related to data classification and using separate buckets. It's best practice to separate data with different data classifications for a variety of reasons (e.g. security, life-cycle management, etc). Revisiting this decision could improve your security and operating model.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Key Management Service
Language
English
QuentinD-Capsens
asked 2 years ago3271 views
3 Answers
2

All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).

AWS
mike
answered 2 years ago
AWS
EXPERT
Hernito
reviewed 2 years ago
0

Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects

QuentinD-Capsens
answered 2 years ago
  • Chenjie Ni
    2 years ago

    You CAN technically unencrypt an object in a bucket where the default bucket encryption is turned on using the AWS web console ONLY. If anyone knows a way to achieve this using API, please let me know.

0

All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version

AWS
AWS-User-9602894
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content