How do I troubleshoot the error "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4" when I try to access S3 objects that are encrypted with AWS KMS managed keys?

3 minuto de leitura
2

I'm trying to access Amazon Simple Storage Service (Amazon S3) objects that are encrypted with AWS Key Management Service (AWS KMS). I get the error "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4".

Resolution

You get this error when you access an AWS KMS-encrypted object using a signature version that's not AWS Signature Version 4. When you access an S3 object that's encrypted with an AWS KMS key, be sure that all your requests are signed with AWS Signature Version 4.

Be sure that you aren't making an anonymous request

You might get this error when you make an anonymous request. An anonymous request is a request that's not signed with AWS credentials. An example of an anonymous request is downloading an S3 object using the object URL on your browser or a HTTP client. An S3 object URL looks like the following:

https://bucketname.s3.region.amazonaws.com/folder/file.txt

Using an HTTP client such as curl, you can make an anonymous request with a command similar to the following:

curl -vo ./local/path/file.txt https://bucketname.s3.region.amazonaws.com/folder/file.txt

Be sure that you aren't using AWS Signature Version 2

Some S3 REST API endpoints and Regions still support requests that are signed using Signature Version 2. However, it's a best practice to use Signature Version 4 for signing in. For more information, see AWS Signature Version 2 turned off (deprecated) for Amazon S3.

Because some Regions still support Signature Version 2, you can make requests that are signed with Signature Version 2 to buckets in these Regions. However, AWS KMS requires that your requests are signed with Signature Version 4. If you use Signature Version 2 with an AWS KMS-encrypted object, this error appears:

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

To identity the signature version that you used when making requests to objects in your bucket, try the following:

Note: For requests that specify AWS KMS managed keys, you must use Secure Sockets Layer (SSL) or Transport Layer Security (TLS). If you make a request that specifies AWS KMS keys over an unsecure connection (without SSL/TLS), then you get the following error:

An error occurred (InvalidArgument) when calling the <operation_performed> operation: Requests specifying Server Side Encryption with AWS KMS managed keys must be made over a secure connection.

Related information

Specifying server-side encryption with AWS KMS (SSE-KMS)

Authenticating requests (AWS Signature Version 2)

AWS OFICIAL
AWS OFICIALAtualizada há 2 anos