S3 SSEKMSKeyId Not required when getObject

Question

I'm sending files by specifying the SSEKMSKeyId using the PHP code below:

$response = self::$s3Client->putObject([
                'Bucket' => $bucket,
                'Key' => $fileName,
                'Body' => fopen($file, 'r'),
                'ContentType' => $fileType,
                'ServerSideEncryption' => 'aws:kms',
                'SSEKMSKeyId' => $encryptionKeyId,
                'ServerSideEncryptionBucketKeyEnabled' => 'true',
            ]);

When I go to retrieve the file, it's not requiring me to send the 'SSEKMSKeyId' to get the file unencrypted. I can see in the Console that Server Side Encryption is on for the file and it's enabled using the Key ID that I sent during the putObject.

$response = self::$s3Client->getObject([
                'Bucket' => $bucket,
                'Key' => $fileName,
            ]);

I would expect the behavior to return an encrypted file 'SSEKMSKeyId'. What am I missing?

Answer

If you would have permission to decrypt the KMS key and access to s3 bucket/object, you'll be able to access the file without any issue. If a user who has access to this s3 bucket/object but doesn't have access to KMS key, he would be access denied while trying to Getobject.

Refer this re:Post Knowledge Center Article.

Enter image description here

Hope this clarifies your doubt. Comment here if you have additional questions, happy to assist.

Abhishek

Refer this [re:Post Knowledge Center Article](https://repost.aws/knowledge-center/decrypt-kms-encrypted-objects-s3).

![Enter image description here](/media/postImages/original/IMFv8LWhXfRmq5G5W7-XO6aQ)

Hope this clarifies your doubt. Comment here if you have additional questions, happy to assist.

Abhishek

Answer

Encryption Process:

You use SSEKMSKeyId during putObject to specify the KMS key for encryption.
S3 encrypts the uploaded file data "at rest" using the provided KMS key. This means the data is encrypted on S3's servers.
Crucially, S3 stores the information about the KMS key used for encryption along with the object itself.
Decryption Process:

When you call getObject on the encrypted object, S3 retrieves the necessary information about the KMS key from the object's metadata.
S3 automatically decrypts the object data using the retrieved KMS key before returning it to you.
Why SSEKMSKeyId Isn't Needed in getObject:

Since S3 stores the KMS key information with the object, you don't need to include SSEKMSKeyId again during getObject. S3 already knows which key to use for decryption.

S3 SSEKMSKeyId Not required when getObject

관련 콘텐츠