S3 default SSE with KMS still requires a parameter for aws-cli2019 Community Moderator ElectionProper (optimal) configuration of S3 Bucket Policy with IAM UserAWS S3 server side encryption using CLIAWS s3:access denied while uploading fileLogstash fails to access S3 when KMS SSE is enforced by policyhow to download an kms encrypted s3 objectS3 upload working from aws cli but AccessDenied from aws s3apiUnable to decrypt/download KMS encrypted objects from S3 bucket in another accountUnable to put object into S3 bucket after assuming roleS3 PutObject operation gives Access Denied with IAM Role containing Policy granting access to S3Uploading file to S3 using SSE
CLI: Get information Ubuntu releases
Is VPN a layer 3 concept?
Why is "la Gestapo" feminine?
Do people actually use the word "kaputt" in conversation?
DisplayForm problem with pi in FractionBox
How old is Nick Fury?
How to balance a monster modification (zombie)?
Should I be concerned about student access to a test bank?
Writing in a Christian voice
Does convergence of polynomials imply that of its coefficients?
Exit shell with shortcut (not typing exit) that closes session properly
Hackerrank All Women's Codesprint 2019: Name the Product
Asserting that Atheism and Theism are both faith based positions
Why didn’t Eve recognize the little cockroach as a living organism?
What (if any) is the reason to buy in small local stores?
Why is indicated airspeed rather than ground speed used during the takeoff roll?
label a part of commutative diagram
Hot air balloons as primitive bombers
PTIJ: At the Passover Seder, is one allowed to speak more than once during Maggid?
10 year ban after applying for a UK student visa
Pre-Employment Background Check With Consent For Future Checks
Would mining huge amounts of resources on the Moon change its orbit?
TDE Master Key Rotation
Is this Pascal's Matrix?
S3 default SSE with KMS still requires a parameter for aws-cli
2019 Community Moderator ElectionProper (optimal) configuration of S3 Bucket Policy with IAM UserAWS S3 server side encryption using CLIAWS s3:access denied while uploading fileLogstash fails to access S3 when KMS SSE is enforced by policyhow to download an kms encrypted s3 objectS3 upload working from aws cli but AccessDenied from aws s3apiUnable to decrypt/download KMS encrypted objects from S3 bucket in another accountUnable to put object into S3 bucket after assuming roleS3 PutObject operation gives Access Denied with IAM Role containing Policy granting access to S3Uploading file to S3 using SSE
I've created an S3 bucket and configured default SSE to use KMS.
I can upload a file to the bucket with aws-cli provided I pass the --sse aws:kms flag, e.g.:
aws s3 cp --sse aws:kms test.txt s3://my-bucket
But I expect this to work without the --sse aws:kms flag since this is default encryption, i.e. it should be applied when no encryption header is specified.
When I try without the header it fails:
aws s3 cp test.txt s3://my-bucket
upload failed: ./test.txt to s3://my-bucket/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
If I change from using AWS KMS to S3-managed SSE it works without any --sse flag, but I need to use AWS KMS. I've tried adding the following policy to my IAM user making the request but it still fails:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"kms:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*",
"arn:aws:kms:eu-west-2:1111112222:key/aaaabbbb-1122-2222-4444-eeeeff3333"
]
]
What am I missing to get this working?
amazon-web-services amazon-s3 amazon-kms
asked May 11 '18 at 11:04
allsapallsap
584
add a comment |
I've created an S3 bucket and configured default SSE to use KMS.
I can upload a file to the bucket with aws-cli provided I pass the --sse aws:kms flag, e.g.:
aws s3 cp --sse aws:kms test.txt s3://my-bucket
But I expect this to work without the --sse aws:kms flag since this is default encryption, i.e. it should be applied when no encryption header is specified.
When I try without the header it fails:
aws s3 cp test.txt s3://my-bucket
upload failed: ./test.txt to s3://my-bucket/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
If I change from using AWS KMS to S3-managed SSE it works without any --sse flag, but I need to use AWS KMS. I've tried adding the following policy to my IAM user making the request but it still fails:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"kms:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*",
"arn:aws:kms:eu-west-2:1111112222:key/aaaabbbb-1122-2222-4444-eeeeff3333"
]
]
What am I missing to get this working?
amazon-web-services amazon-s3 amazon-kms
asked May 11 '18 at 11:04
allsapallsap
584
add a comment |
I've created an S3 bucket and configured default SSE to use KMS.
I can upload a file to the bucket with aws-cli provided I pass the --sse aws:kms flag, e.g.:
aws s3 cp --sse aws:kms test.txt s3://my-bucket
But I expect this to work without the --sse aws:kms flag since this is default encryption, i.e. it should be applied when no encryption header is specified.
When I try without the header it fails:
aws s3 cp test.txt s3://my-bucket
upload failed: ./test.txt to s3://my-bucket/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
If I change from using AWS KMS to S3-managed SSE it works without any --sse flag, but I need to use AWS KMS. I've tried adding the following policy to my IAM user making the request but it still fails:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"kms:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*",
"arn:aws:kms:eu-west-2:1111112222:key/aaaabbbb-1122-2222-4444-eeeeff3333"
]
]
What am I missing to get this working?
amazon-web-services amazon-s3 amazon-kms
asked May 11 '18 at 11:04
allsapallsap
584
I've created an S3 bucket and configured default SSE to use KMS.
I can upload a file to the bucket with aws-cli provided I pass the --sse aws:kms flag, e.g.:
aws s3 cp --sse aws:kms test.txt s3://my-bucket
But I expect this to work without the --sse aws:kms flag since this is default encryption, i.e. it should be applied when no encryption header is specified.
When I try without the header it fails:
aws s3 cp test.txt s3://my-bucket
upload failed: ./test.txt to s3://my-bucket/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
If I change from using AWS KMS to S3-managed SSE it works without any --sse flag, but I need to use AWS KMS. I've tried adding the following policy to my IAM user making the request but it still fails:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"kms:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*",
"arn:aws:kms:eu-west-2:1111112222:key/aaaabbbb-1122-2222-4444-eeeeff3333"
]
]
What am I missing to get this working?
amazon-web-services amazon-s3 amazon-kms
amazon-web-services amazon-s3 amazon-kms
asked May 11 '18 at 11:04
allsapallsap
584
asked May 11 '18 at 11:04
allsapallsap
584
asked May 11 '18 at 11:04
allsapallsap
584
asked May 11 '18 at 11:04
allsapallsap
584
asked May 11 '18 at 11:04
allsapallsap
584
584
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is only true because your KMS key policy did not specify that the user/role you used to perform the upload could execute GenerateDataKey, Encrypt, and Decrypt against the key.
Add that to your key policy (list yourself as a key user) and it should work.
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f50290911%2fs3-default-sse-with-kms-still-requires-a-parameter-for-aws-cli%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is only true because your KMS key policy did not specify that the user/role you used to perform the upload could execute GenerateDataKey, Encrypt, and Decrypt against the key.
Add that to your key policy (list yourself as a key user) and it should work.
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
add a comment |
This is only true because your KMS key policy did not specify that the user/role you used to perform the upload could execute GenerateDataKey, Encrypt, and Decrypt against the key.
Add that to your key policy (list yourself as a key user) and it should work.
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
add a comment |
This is only true because your KMS key policy did not specify that the user/role you used to perform the upload could execute GenerateDataKey, Encrypt, and Decrypt against the key.
Add that to your key policy (list yourself as a key user) and it should work.
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
This is only true because your KMS key policy did not specify that the user/role you used to perform the upload could execute GenerateDataKey, Encrypt, and Decrypt against the key.
Add that to your key policy (list yourself as a key user) and it should work.
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
answered Mar 6 at 23:15
Shawn TolidanoShawn Tolidano
1116
1116
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f50290911%2fs3-default-sse-with-kms-still-requires-a-parameter-for-aws-cli%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
