Creating Bucket Policy to Deny Unencrypted Uploads


Hello, I'm trying to create a bucket policy to deny uploads that are not encrypted with KMS keys and use Macie to verify that the policy is correct. I applied the following policy to a bucket which I took directly from this AWS documentation:

{ "Version":"2012-10-17", "Id":"PutObjectPolicy", "Statement":[{ "Sid":"DenyObjectsThatAreNotSSEKMS", "Effect":"Deny", "Principal":"", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET1/", "Condition":{ "Null":{ "s3:x-amz-server-side-encryption-aws-kms-key-id":"true" } } } ] }

However, when I look in Amazon Macie it says that encryption is not required by bucket policy. (see screenshot) So I was wondering if this policy has all that is required for enforcing KMS encryption on object uploads or if there are additional policy statements necessary.


2개 답변
수락된 답변


If you set that bucket policy, uploading will fail if the encryption setting is other than KMS when using putobject.
In other words, the upload with the command below will fail.

aws s3api put-object --bucket s3-test --key test.txt --body test.txt --server-side-encryption AES256

Basically, if no option is specified, the default encryption set on the S3 bucket will be used, so I don't think there is much need to worry about the bucket policy.
For example, if you set the encryption method as an option as shown above, I think it is a valid bucket policy.

profile picture
답변함 3달 전
profile picture
검토됨 2달 전
  • Thank you so much for your help!


Please update the resource on the policy to include the splat as you have omitted it.


Other than that, are you sure it’s not enforce encryption of data in transit as this is another macie finding.

profile picture
답변함 3달 전
  • Thank you so much for your help! I intended to include the splat in the bucket policy so this was just an error on my part when posting the question.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠