Use KMS grant to access to encrypted KMS - CMK S3 bucket


Hi, I have an S3 bucket encrypted with a Customer-managed KMS key (let's say with keyA) I have an user, let's call him Bob, that cannot use that KMS key for encryption operation (there is an express Deny), but he has Create/Retire grant permission for that key

I'm using Bob's AWS credentials for running a Java application locally that perform put / get operation on an AWS S3 bucket that is encrypted Server-Side with the keyA, and bucket policy allows only encrypted uploads with KeyA.

What I want to do is, when application needs to upload a file:

  • create "on the fly" a kms Grant for Bob, allowing encryption and datakey generation
  • Do the putRequest on the S3, using the grant token (because grant may be not imeediately active)
  • Retire the grant

Seems it is not possible to "pass" the grant token (i'm using Java SDK, following the example putEncryptedData3_Kms of this tutorial


The reason to do that, is because n this way I could set a condition on the grant, based on the encryption-context used for encryption, so that Bob would be able to upload files but only using a certain context (and use the same logic to allow decryption and download)

Is there any way to do it?

1 Answer


My understanding is that you want to limit Bob's ability to upload files to an S3 bucket with SSE-KMS encryption, based on the path of the uploaded file. Using bucket keys which is most normal now for cost optimization, the encryption context of the KMS operation will be the bucketname and thus not depend on the key of the S3 object (the pathname).
(I assume that the Deny on Encrypt/Decrypt but Allow on Create/Retire grant permission for the key is something which you can change.).

So, I think it would be better to restrict Bob's upload ability using a condition based on the object resource ARN for operations using PutObjectVersion, and do that on the role which the Java application assumes when invoked by Bob.

To make this more scalable, you could implement a session policy ( with a variable substitution for the username ( so there is a boundary on what the application can do with the assumed role which is based on the user invoking the application.

Hope this is relevant for your issue.

With kind regards,
Bent T

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions