Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

3 minute read
0

I want to download stored objects from Amazon Simple Storage Service (Amazon S3) that use server-side encryption with AWS Key Management Service-managed keys (SSE-KMS).

Resolution

You don't need to specify the AWS Key Management Service (AWS KMS) key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.

When a user sends a GET request, Amazon S3 must check for the appropriate authorization. Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the object's key. If the IAM user or role and key belong to the same AWS account, then decrypt permissions must be granted on the key policy.

Note: When the IAM user or role and KMS key are in the same account, you can use IAM policies to control access to the key. However, you must modify the key policy to explicitly turn on IAM policies to allow access to the key. For more information, see Using IAM policies with AWS KMS.

If the IAM user or role and key belong to different accounts, then you have to grant decrypt permissions on the IAM user's policy and the key's policy.

The following is an example IAM policy that allows the user to both decrypt the AWS KMS key and also download from the S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:kms:example-region-1:123456789012:key/example-key-id",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

The following is an example key policy statement that allows the user to decrypt the key:

{
  "Sid": "Allow decryption of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::123456789012:user/Bob"
    ]
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Note: For IAM users or roles that belong to a different account than the bucket, the bucket policy must also grant the user access to objects. For example, if the user needs to download from the bucket, then the user must have permission to the s3:GetObject action on the bucket policy.

After you have the permission to decrypt the key, you can download S3 objects encrypted with the key using the AWS Command Line Interface (AWS CLI). Run a command similar to the following:

aws s3api get-object --bucket DOC-EXAMPLE-BUCKET --key dir/example-object-name example-object-name

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Related information

GetObject

get-object

Protecting data using server-side encryption with CMKs stored in AWS Key Management Service (SSE-KMS)

AWS OFFICIAL
AWS OFFICIALUpdated a year ago