I set up my Amazon Simple Storage Service (Amazon S3) bucket to use default encryption with a custom AWS Key Management Service (AWS KMS) key. I want an AWS Identity and Access Management (IAM) user to be able to download from and upload to the bucket. How can I do that?

The IAM user and the AWS KMS key belong to the same AWS account

First, add the IAM user as a user of the custom AWS KMS key by following these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Encryption keys.
  3. From the list of keys, choose the key that's associated with your bucket.
  4. Expand Key Policy.
  5. Under Key Users, choose Add.
  6. From the list of IAM users and roles, select the IAM user.
  7. Choose Attach.

Then, add a policy to the IAM user that grants the permissions to upload and download from the bucket. You can use a policy that's similar to the following:

Note: For the Resource value, enter the bucket's Amazon Resource Name (ARN).

{
  "Version": "2012-10-17",
  "Statement": [{
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": [
        "arn:aws:s3:::examplebucket/*"
      ]
   }
}

The IAM user and the AWS KMS key belong to different accounts

First, add the IAM user as a user of the custom AWS KMS key by following these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Encryption keys.
  3. From the list of keys, choose the key that's associated with your bucket.
  4. Expand Key Policy.
  5. Under External Accounts, choose Add External Account.
  6. In the text box, enter the AWS account ID of the IAM user.
  7. Choose Save Changes.

Then, add a policy to the IAM user that grants the permissions to upload and download from the bucket, as well as work with the AWS KMS key that's associated with the bucket. You can use a policy that's similar to the following:

Note: For the first Resource value, enter the bucket's ARN. For the second Resource value, enter the AWS KMS key's ARN.

{
  "Version": "2012-10-17",
  "Statement": [{
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": [
        "arn:aws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": [
        "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
      ]
    }
  ]
}

Finally, update the bucket policy to grant the IAM user access to the bucket. You can use a policy that's similar to the following:

Note: For the Principal value, enter the IAM user's ARN. For the Resource value, enter the bucket's ARN.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::123exampleaccountID:user/Jane"
      ]
    },
    "Action": [
      "s3:PutObject",
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3:::examplebucket/*"
    ]
  }]
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-31