Why can’t I upload a large file to Amazon S3 with AWS KMS key encryption?
I want to upload a large file to my Amazon Simple Storage Service (Amazon S3) bucket. In my upload request, I include encryption information with an AWS Key Management Service (AWS KMS) key. However, I get an Access Denied error.
Short description
Confirm that you have permission to perform kms:Decrypt actions on the AWS KMS key that you use to encrypt the object.
For large files, high-level s3 commands with the AWS Command Line Interface (AWS CLI), AWS SDKs, and many third-party programs automatically perform a multipart upload. To use an AWS KMS key to encrypt a multipart upload, you must have kms:GenerateDataKey and kms:Decrypt permissions. The kms:GenerateDataKey permissions allow you to initiate the upload. With kms:Decrypt permissions, you can encrypt newly uploaded parts with the key that you used for previous parts of the same object.
Note: After you upload all the parts, you must assemble the uploaded parts to complete the multipart upload operation. Because the uploaded parts are server-side encrypted with an AWS KMS key, you must decrypt object parts before you can assemble the parts. Therefore, you must have kms:Decrypt permissions for multipart upload requests that use server-side encryption with AWS KMS keys (SSE-KMS).
Resolution
Your AWS Identity and Access Management (IAM) role and key might exist in the same AWS account or different accounts. If your IAM role and key are in the same account, then you can specify kms:Decrypt permissions from an IAM policy or AWS KMS key policy. If your IAM role and key are in different accounts, then you must specify kms:Decrypt permissions in both the key and IAM policy.
Key policy
Review the AWS KMS key policy in the AWS Management Console policy view.
In the key policy, search for statements where the ARN of your IAM user or role is listed as an AWS principal. The ARN is in the following format: arn:aws:iam::111122223333:user/john.
Then, check the list of actions that your IAM user or role statements allow. For multipart uploads, the list of allowed actions must include kms:Decrypt with SSE-KMS.
For example, the following statement in a key policy allows the user John to perform the kms:Decrypt and kms:GenerateDataKey actions:
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/john" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" },
IAM permissions
To review your IAM permissions, open the IAM console, and then choose your IAM user or role.
Review the list of permissions policies that apply to your IAM user or role. Make sure that there's an applied policy that allows you to perform the kms:Decrypt action on the key that you use to encrypt the object:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd" ] } }
This example statement grants the IAM user access to perform kms:Decrypt and kms:GenerateDataKey on the key arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd.
For instructions on how to update your IAM permissions, see Changing permissions for an IAM user.
Related information
But how abt that "when I upload a smaller file with encryption information, the upload succeeds"??? They upload successfully before, so I think they must have permission for KMS actions
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Helped, works, thank you. But why aren't you using "kms:Encrypt" to upload the object?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- Accepted Answerasked 4 years ago
- asked 8 days ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
