I want to download objects that are stored on Amazon Simple Storage Service (Amazon S3) and that use server-side encryption with AWS Key Management Service-managed keys (SSE-KMS). Do I need to specify the AWS KMS key to download these objects from the bucket?

No, you don’t need to specify the AWS KMS key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.

When a user sends a GET request, Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the key associated with the object. If the IAM user or role belongs to the same AWS account as the key, then the permission to decrypt must be granted on the AWS KMS key’s policy.

Note: Even if the user has permission to decrypt the key in their IAM policy, the user still needs the permission on the key policy for the download to work.

If the IAM user or role belongs to a different account than the key, then the permission to decrypt must be granted on both the IAM user’s policy and the key’s policy.

The following is an example IAM policy that allows the user to both decrypt the AWS KMS key and also download from the S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:kms:example-region-1:123456789012:key/example-key-id",
        "arn:aws:s3:::example-bucket-name/*"
      ]
    }
  ]
}

The following is an example key policy statement that allows the user to decrypt the key:

{
  "Sid": "Allow decryption of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::123456789012:user/Bob"
    ]
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Important: For IAM users or roles that belong to a different account than the bucket, be sure that the bucket policy also grants the user access to objects. For example, if the user needs to download from the bucket, then the user must have permission to the s3:GetObject action on the bucket policy.

After you have the permission to decrypt the key, you can download S3 objects encrypted with the key using an AWS Command Line Interface (AWS CLI) command similar to the following:

aws s3api get-object --bucket example-bucket-name --key dir/example-object-name example-object-name

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-07