How to decrypt AWS KMS Double Encryption when downloading files from S3?


In our use case, S3 Bucket default server side encryption is set to use KMS.

We’re generating the RDS MSSQL DB transaction logs and storing into S3 using exec msdb.dbo.rds_tlog_backup_copy_to_S3 with @kms_key_arn parameter.

In the above scenario, the file resides inside is S3 is double encrypted. i.e. Encrypted first when storing the transaction logs to S3 by using msdb.dbo.rds_tlog_backup_copy_to_S3 with @kms_key_arn parameter. Re-encrypted again with S3 Bucket default server-side encryption is set to use KMS.

Our requirement is AWS KMS encrypted database backup need to be restored in an on-premises environment. The on-premises environment isn't aware of the AWS KMS key details because it's an external entity. So, we must decrypt the AWS KMS encrypted files prior to restoring.

We understand that we don't need to specify the AWS Key Management Service (AWS KMS) key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, we need the permission to decrypt the AWS KMS key. We've this IAM permission policies in place. However, our S3 transaction backup log file objects are double decrypted. By using this IAM decrypt permission policies in place, its decrypted only once which was encrypted by SSE-KMS and I could not find the solution to decrypt the file which was encrypted by using msdb.dbo.rds_tlog_backup_copy_to_S3 with @kms_key_arn parameter. - Could you pls suggest any solution on this? Thanks.

1 Answer

Download the object from S3: You will need to use an AWS SDK or CLI command. This will automatically decrypt the server-side encryption layer if your permissions are set up correctly

aws s3 cp s3://mybucket/myobject .

Decrypt the second encryption layer: For the second decryption, you will need to use the Decrypt operation provided by the KMS API. The exact code will depend on which programming language and AWS SDK you are using.

aws kms decrypt --ciphertext-blob fileb://my_encrypted_file --output text --query Plaintext | base64 --decode > my_decrypted_file

It's worth mentioning that decrypting the file locally (outside AWS environment) would require you to have the necessary KMS keys in your local environment which may not be feasible or secure in many cases, since the KMS key's purpose is to be kept secret and not distributed.

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions