Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

3 minute read
0

I want to download stored objects from Amazon Simple Storage Service (Amazon S3) that use server-side encryption with AWS Key Management Service-managed keys (SSE-KMS).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You don't need to specify the AWS Key Management Service (AWS KMS) key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.

When a user sends a GET request, Amazon S3 must check for the appropriate authorization. Amazon S3 checks if the AWS Identity and Access Management (IAM) user or role that sent the request is authorized to decrypt the object's key. If the IAM user or role and key belong to the same AWS account, then you must grant decrypt permissions on the key policy.

Note: When the IAM user or role and KMS key are in the same account, you can use IAM policies to control access to the key. However, your KMS key policy must give the account decrypt permissions. AWS does this by default. You must modify the key policy if decrypt permissions are missing. For more information, see Using IAM policies with AWS KMS.

If the IAM user or role and key belong to different accounts, then grant decrypt permissions on the IAM user's policy or IAM role's policy. Also grant permissions on the key policy.

The following is an example IAM policy that allows the user to both decrypt the AWS KMS key and also download from the S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:kms:example-region-1:123456789012:key/example-key-id",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

The following is an example key policy statement that allows the user to decrypt the key:

{
  "Sid": "Allow decryption of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::123456789012:user/username"
    ]
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Note: Replace 123456789012:user/username with the ARN of the IAM identity.

Note: For IAM users or roles that belong to a different account than the bucket, the bucket policy must also grant the user access to objects. For example, if the user needs to download from the bucket, then the user must have permission to the s3:GetObject action on the bucket policy.

After you have permission to decrypt the key, you can download S3 objects encrypted with the key using the AWS Command Line Interface (AWS CLI). Run a command similar to the following:

aws s3api get-object --bucket DOC-EXAMPLE-BUCKET --key dir/example-object-name example-object-name

Related information

GetObject

get-object

Using server-side encryption with AWS KMS keys (SSE-KMS)

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content