I want my S3 bucket to store only objects encrypted by my KMS key. How can I do that?

Last updated: 2018-08-31

Short description

Use Amazon S3 default encryption to be sure that objects uploaded without encryption headers (such as x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id) are encrypted by AWS KMS before they are stored in your S3 bucket. Then, use the bucket policy to be sure that objects with another encryption setting (AES-256) can't be uploaded, and that objects uploaded with AWS KMS encryption contain a key ID from your AWS account.

Note: To upload an object encrypted by an AWS KMS key, the key and the S3 bucket must be in the same AWS Region.

Resolution

Amazon S3 default encryption

Follow these steps to set your bucket's Amazon S3 default encryption to AWS KMS using the Amazon S3 console:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Properties view.
  4. Choose Default encryption, then select AWS-KMS.
  5. Choose Save.

Note: To enable Amazon S3 default encryption using the REST API, AWS Command Line Interface (AWS CLI), or an AWS SDK, see Enabling Amazon S3 default bucket encryption.

Bucket policy

Follow these steps to configure your bucket policy to deny upload requests that either use another encryption setting (AES-256), or that use AWS KMS encryption but contain a key ID that's not from your AWS account:

  1. Open the Amazon S3 console.
  2. Choose the bucket that you want to use for objects encrypted by AWS KMS.
  3. Choose the Permissions view.
  4. Choose Bucket Policy.
  5. Enter a bucket policy similar to the following:
    Warning: Replace samplebucketname with the name of your bucket, and replace us-east-1:111122223333 with the correct AWS Region and your AWS account ID.
{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenySSE-S3",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::samplebucketname/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
  {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::samplebucketname/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
                }
            }
        }
    ]
}

Did this article help?


Do you need billing or technical support?