- Newest
- Most votes
- Most comments
All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).
Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects
You CAN technically unencrypt an object in a bucket where the default bucket encryption is turned on using the AWS web console ONLY. If anyone knows a way to achieve this using API, please let me know.
All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
Quentin, Adding a comment here related to data classification and using separate buckets. It's best practice to separate data with different data classifications for a variety of reasons (e.g. security, life-cycle management, etc). Revisiting this decision could improve your security and operating model.