Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

Last updated: 2020-11-10

I want to download objects that are stored on Amazon Simple Storage Service (Amazon S3) and that use server-side encryption with AWS Key Management Service-managed keys (SSE-KMS). Do I need to specify the AWS KMS key to download these objects from the bucket?

Resolution

You don’t need to specify the AWS KMS key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.

When a user sends a GET request, Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the key associated with the object. If the IAM user or role belongs to the same AWS account as the key, then the permission to decrypt must be granted on the AWS KMS key’s policy.

Note: If the IAM user or role and the KMS key are in the same account, then you can also use IAM policies to control access to the key. However, you must modify the key policy to explicitly enable IAM policies to allow access to the key. For more information, see Using IAM policies with AWS KMS.

If the IAM user or role belongs to a different account than the key, then the permission to decrypt must be granted on both the IAM user’s policy and the key’s policy.

The following is an example IAM policy that allows the user to both decrypt the AWS KMS key and also download from the S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:kms:example-region-1:123456789012:key/example-key-id",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}
The following is an example key policy statement that allows the user to decrypt the key:
{
  "Sid": "Allow decryption of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::123456789012:user/Bob"
    ]
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Important: For IAM users or roles that belong to a different account than the bucket, be sure that the bucket policy also grants the user access to objects. For example, if the user needs to download from the bucket, then the user must have permission to the s3:GetObject action on the bucket policy.

After you have the permission to decrypt the key, you can download S3 objects encrypted with the key using an AWS Command Line Interface (AWS CLI) command similar to the following:

aws s3api get-object --bucket DOC-EXAMPLE-BUCKET --key dir/example-object-name example-object-name

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.