I'm trying to upload a large file to Amazon S3 with encryption using an AWS KMS key. Why is the upload failing?

Last updated: 2021-04-05

I'm trying to upload a large file to my Amazon Simple Storage Service (Amazon S3) bucket. In my upload request, I'm including encryption information using an AWS Key Management Service (AWS KMS) key. However, I get an Access Denied error. Meanwhile, when I upload a smaller file with encryption information, the upload succeeds. How can I fix this?

Short description

Confirm that you have the permission to perform kms:Decrypt actions on the AWS KMS key that you're using to encrypt the object.

The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS KMS key, the requester must have kms:GenerateDataKey and kms:Decrypt permissions. The kms:GenerateDataKey permissions allow the requester to initiate the upload. With kms:Decrypt permissions, newly uploaded parts can be encrypted with the same key used for previous parts of the same object.

Note: After all the parts are uploaded successfully, the uploaded parts must be assembled to complete the multipart upload operation. Because the uploaded parts are server-side encrypted using a KMS key, object parts must be decrypted before they can be assembled. For this reason, the requester must have kms:Decrypt permissions for multipart upload requests using server-side encryption with KMS CMKs (SSE-KMS).

Resolution

If your AWS Identity and Access Management (IAM) role and key are in the same account, then kms:Decrypt permissions must be specified in the key policy. If your IAM role belongs to a different account than the key, kms:Decrypt permissions must be specified in both the key and IAM policy.

Key policy

Review the AWS KMS key policy by using the AWS Management Console policy view.

In the key policy, search for statements where the Amazon Resource Name (ARN) of your IAM user or role is listed as an AWS principal. The ARN is in the format: arn:aws:iam::111122223333:user/john.

Then, check the list of actions allowed by the statements associated with your IAM user or role. The list of allowed actions must include kms:Decrypt, using an SSE-KMS, for multipart uploads to work.

For example, this statement in a key policy allows the user John to perform the kms:Decrypt and kms:GenerateDataKey actions:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/john"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        },

IAM permissions

To review your IAM permissions, open the IAM console, and then open your IAM user or role.

Review the list of permissions policies applied to your IAM user or role. Make sure that there's an applied policy that allows you to perform the kms:Decrypt action on the key used to encrypt the object.

For example:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Resource": [
      "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
    ]
  }
}

This example statement grants the IAM user access to perform kms:Decrypt and kms:GenerateDataKey on the key (arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd).

For instructions on how to update your IAM permissions, see Changing permissions for an IAM user.


Did this article help?


Do you need billing or technical support?