By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Creating Bucket Policy to Deny Unencrypted Uploads

0

Hello, I'm trying to create a bucket policy to deny uploads that are not encrypted with KMS keys and use Macie to verify that the policy is correct. I applied the following policy to a bucket which I took directly from this AWS documentation:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

{ "Version":"2012-10-17", "Id":"PutObjectPolicy", "Statement":[{ "Sid":"DenyObjectsThatAreNotSSEKMS", "Effect":"Deny", "Principal":"", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET1/", "Condition":{ "Null":{ "s3:x-amz-server-side-encryption-aws-kms-key-id":"true" } } } ] }

However, when I look in Amazon Macie it says that encryption is not required by bucket policy. (see screenshot) So I was wondering if this policy has all that is required for enforcing KMS encryption on object uploads or if there are additional policy statements necessary.

Macie

2 Answers
2
Accepted Answer

Hello.

If you set that bucket policy, uploading will fail if the encryption setting is other than KMS when using putobject.
In other words, the upload with the command below will fail.

aws s3api put-object --bucket s3-test --key test.txt --body test.txt --server-side-encryption AES256

Basically, if no option is specified, the default encryption set on the S3 bucket will be used, so I don't think there is much need to worry about the bucket policy.
For example, if you set the encryption method as an option as shown above, I think it is a valid bucket policy.
https://repost.aws/knowledge-center/s3-aws-kms-default-encryption

profile picture
EXPERT
answered 9 months ago
profile picture
EXPERT
reviewed 8 months ago
  • Thank you so much for your help!

1

Please update the resource on the policy to include the splat as you have omitted it.

arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*

Other than that, are you sure it’s not enforce encryption of data in transit as this is another macie finding.

https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule

profile picture
EXPERT
answered 9 months ago
  • Thank you so much for your help! I intended to include the splat in the bucket policy so this was just an error on my part when posting the question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions