Questions tagged with Encryption

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

MSSQL RDS Backup and Restore

I am trying to do a MSSQL database backup and restore (from one AWS account to another) following the native backup and restore documentation. - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html#SQLServer.Procedural.Importing.Native.Enabling - The backup seems to work fine to an S3 bucket. I am then downloading it from Account A and uploading it back to an S3 bucket in Account B. When I then try to restore using - exec msdb.dbo.rds_restore_database @restore_db_name='database_name', @s3_arn_to_restore_from='arn:aws:s3:::bucket_name/file_name.extension', - I get the following error - Aborted the task because of a task failure or a concurrent RESTORE_DB request. Task has been aborted ** The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.** - This suggests to me an encryption issue however I have not specified a KMS key using the '@kms_master_key_arn' parameter on either the export or import which the documentation suggests should export an unencrypted DB: The following parameters are optional: @kms_master_key_arn – The ARN for the symmetric encryption KMS key to use to encrypt the item. *** If you don't specify a KMS key identifier, the backup file won't be encrypted.** - I'd appreciate any ideas if anyone has come across this problem before.
1
answers
0
votes
56
views
asked 4 months ago

CloudFront 403 errors with S3 (SSE-S3)

We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted. We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin. With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case. Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :( BTW: this is in the us-east-1 (Virginia) region. This is the error message shown in the browser: ![Browser error message](https://repost.aws/media/postImages/original/IM111oQvslQMyGjNkJnH51Wg) This is the bucket policy: ``` { "Version": "2012-10-17", "Id": "S3-Console-Auto-Gen-Policy-1657210423217", "Statement": [ { "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966", "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<MY-BUCKET>/*" }, { "Sid": "2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<MY-BUCKET>/*" } ] } ``` This is the current bucket encryption setting: ![Encryption setting](https://repost.aws/media/postImages/original/IMSZxGEWsPRX6N095CEgdSTg)
2
answers
0
votes
164
views
asked 5 months ago