By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 SSEKMSKeyId Not required when getObject

0

I'm sending files by specifying the SSEKMSKeyId using the PHP code below:

$response = self::$s3Client->putObject([ 'Bucket' => $bucket, 'Key' => $fileName, 'Body' => fopen($file, 'r'), 'ContentType' => $fileType, 'ServerSideEncryption' => 'aws:kms', 'SSEKMSKeyId' => $encryptionKeyId, 'ServerSideEncryptionBucketKeyEnabled' => 'true', ]);

When I go to retrieve the file, it's not requiring me to send the 'SSEKMSKeyId' to get the file unencrypted. I can see in the Console that Server Side Encryption is on for the file and it's enabled using the Key ID that I sent during the putObject.

$response = self::$s3Client->getObject([ 'Bucket' => $bucket, 'Key' => $fileName, ]);

I would expect the behavior to return an encrypted file 'SSEKMSKeyId'. What am I missing?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Key Management Service
Language
English
jgerk
asked 12 days ago320 views
2 Answers
1

If you would have permission to decrypt the KMS key and access to s3 bucket/object, you'll be able to access the file without any issue. If a user who has access to this s3 bucket/object but doesn't have access to KMS key, he would be access denied while trying to Getobject.

Refer this re:Post Knowledge Center Article.

Enter image description here

Hope this clarifies your doubt. Comment here if you have additional questions, happy to assist.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 12 days ago
0

Encryption Process:

You use SSEKMSKeyId during putObject to specify the KMS key for encryption. S3 encrypts the uploaded file data "at rest" using the provided KMS key. This means the data is encrypted on S3's servers. Crucially, S3 stores the information about the KMS key used for encryption along with the object itself. Decryption Process:

When you call getObject on the encrypted object, S3 retrieves the necessary information about the KMS key from the object's metadata. S3 automatically decrypts the object data using the retrieved KMS key before returning it to you. Why SSEKMSKeyId Isn't Needed in getObject:

Since S3 stores the KMS key information with the object, you don't need to include SSEKMSKeyId again during getObject. S3 already knows which key to use for decryption.

sandeep
answered 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content