I want to upload a large file to my Amazon Simple Storage Service (Amazon S3) bucket. In my upload request, I include encryption information with an AWS Key Management Service (AWS KMS) key. However, I get an Access Denied error.
Short description
Confirm that you have permission to perform kms:Decrypt actions on the AWS KMS key that you use to encrypt the object.
For large files, high-level aws s3 commands with the AWS Command Line Interface (AWS CLI), AWS SDKs, and many third-party programs automatically perform a multipart upload. To use an AWS KMS key to encrypt a multipart upload, you must have kms:GenerateDataKey and kms:Decrypt permissions. The kms:GenerateDataKey permission allows you to initiate the upload. The kms:Decrypt permission allows you to encrypt newly uploaded parts with the key that you used for previous parts of the same object.
Note: To perform a multipart upload with encryption using an AWS KMS key, you must have the following:
- Permission to the kms:Decrypt and kms:GenerateDataKey actions on the key.
- Permissions for the kms:GenerateDataKey action for the CreateMultipartUpload API.
- Permissions for the kms:Decrypt action on the UploadPart and UploadPartCopy APIs. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before the multipart upload is completed.
If your AWS Identity and Access Management (IAM) user or role is in the same AWS account as the KMS key, then you must have these permissions on the key policy. If your IAM user or role belongs to a different account than the KMS key, then you must have the permissions on both the key policy and your IAM user or role.
Resolution
Key policy
Review the AWS KMS key policy in the AWS Management Console policy view.
In the key policy, search for statements where the Amazon Resource Number (ARN) of your IAM user or role is listed as an AWS principal. The ARN is in the following format: arn:aws:iam::111122223333:user/john.
Then, check the list of actions that your IAM user or role statements allow. For multipart uploads, the list of allowed actions must include kms:Decrypt with SSE-KMS.
For example, the following statement in a key policy allows the user John to perform the kms:Decrypt and kms:GenerateDataKey actions:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/john"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
IAM permissions
To review your IAM permissions, open the IAM console, and then choose your IAM user or role.
Review the list of permissions policies that apply to your IAM user or role. Make sure that there's an applied policy that allows you to perform the kms:Decrypt action on the key that you use to encrypt the object:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
]
}
}
The example statement grants the IAM user access to perform kms:Decrypt and kms:GenerateDataKey on the key arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd.
For instructions on how to update your IAM permissions, see Changing permissions for an IAM user.
Related information
AWS Policy Generator
Data encryption in Amazon S3