Why do I need permission to decrypt the AWS KMS key when I run Amazon S3 multipart uploads with SSE-KMS?

Last updated: 2019-09-20

I want to perform a multipart upload to Amazon Simple Storage Service (Amazon S3). Additionally, I want to run the multipart upload using server-side encryption with keys stored in AWS Key Management Service (SSE-KMS). Among the other permissions that I need for the AWS KMS key, why do I need permission to decrypt the key (kms:Decrypt) to perform the multipart upload?  

Resolution

A multipart upload to Amazon S3 involves the initiation of the multipart upload, the upload of the parts, and then the completion of the multipart upload. During the completion of the multipart upload, the parts are assembled.

If you initiate a multipart upload using SSE-KMS, then all the uploaded parts are encrypted using the specified AWS KMS key. Because the parts are encrypted, they must be decrypted before they can be assembled to complete the multipart upload. Therefore, you must have permission to decrypt the AWS KMS key (kms:Decrypt) when you run a multipart upload to Amazon S3 with SSE-KMS.

Important: In addition to kms:Decrypt, confirm that you have all the required permissions to use the AWS KMS key. For more information, see AWS KMS API Permissions: Actions and Resources Reference.


Did this article help you?

Anything we could improve?


Need more help?