Open the AWS KMS console, and then view the key's policy document using the policy view. Modify the key's policy to grant the IAM user permissions for the kms:GenerateDataKey and kms:Decrypt actions at minimum. Add a statement similar to the following:
{
"Sid": "ExampleStmt",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/Jane"
},
"Resource": "*"
}
Note: This example policy includes only the minimum permissions required for an individual IAM user to download and upload to an encrypted S3 bucket. You can modify or expand the permissions based on your use case.
Open the IAM console from the account that the IAM user belongs to. Add a policy to the IAM user that grants the permissions to upload and download from the bucket. The policy must also work with the AWS KMS key that's associated with the bucket.
For cross-account scenarios, consider granting s3:PutObjectAcl permissions so that the IAM user can upload an object. Then, grant the bucket's account full control of the object (bucket-owner-full-control). Additionally, consider granting s3:ListBucket permissions, which is required for running a sync operation, or a recursive copy operation. Use a policy that's similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DownloadandUpload",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
},
{
"Sid": "ListBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
},
{
"Sid": "KMSAccess",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}
]
}
Note: For the first Resource value, enter the ARN for the bucket with a wildcard character to indicate the objects in the bucket. For the second Resource value, enter the ARN for the bucket. For the third Resource value, enter the AWS KMS key's ARN.
Open the Amazon S3 console from the account that owns the S3 bucket. Update the bucket policy to grant the IAM user access to the bucket. Use a policy similar to the following:
{
"Id": "Policy1584399307003",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DownloadandUpload",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Jane"
]
}
},
{
"Sid": "ListBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Jane"
]
}
}
]
}
Note: For the Principal values, enter the IAM user's ARN. For the first Resource value, enter the ARN for the bucket with a wildcard character to indicate the objects in the bucket. For the second Resource value, enter the ARN for the bucket.