AWS S3 server side encryption using CLI

4
votes

I'm trying to use server side encryption having AWS KMS setup to upload objects to S3.

The documentation says that the uploaded objects should be encrypted;

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.

I've setup KMS master key and trying to use CLI to upload an object in the following way

aws s3api put-object --bucket test --key keys/test.txt --server-side-encryption aws:kms --ssekms-key-id <my_master_Key_id> --body test.txt

The upload succeeds and I see the following response 

{
    "SSEKMSKeyId": "arn:aws:kms:eu-central-1:<id>:key/<my_master_key>", 
    "ETag": "\"a4f4fdf078bdd5df758bf81b2d9bc94d\"", 
    "ServerSideEncryption": "aws:kms"
}

Also when checking the file in S3 I see in details that it has been encrypted server side with a proper master key.

The problem is that when I download the file with a user not having a permission to use the KMS master key, I can open and read the file without a problem, when it should be encrypted.

Note: I also have PutObject policy denying all uploads without server-side encryption, which works fine.

I wonder if I misunderstand the server side encryption, or do I do something wrong? Any help is appreciated.

1
amazon-web-servicesencryptionamazon-s3amazon-kms
how do you retrieve the object ? the request should even fail if you dont supply the kms key. If all objects within the bucket are encrypted, you could make a bucket policy that denies the GetObject without the parameter header, but it should be done automatically for the object that are marked as encryptedFrederic Henri
@FrédéricHenri I try to use CLI get-object, also tried directly from the AWS S3 console in both cases I was able to download. I have PutObject policy but not for get, it's a good idea will try to add also for get.vtor
@FrédéricHenri can you show me the documentation where the key is needed to download the object? You say the request should fail, but I don't think that's correct. I think server-side encryption only encrypts the data as it is stored on some disk volume within the S3 service. S3 unencrypts it automatically when you download the object.Mark B
docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html : All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4 I quickly read and thought they mention the kms tooFrederic Henri

1 Answers

2
votes

Unfortunately, I think you misunderstood server-side encryption in S3. Like you pointed yourself, from S3 server-side encryption (SSE) docs:

Server-side encryption is about protecting data at rest.

When S3 receives your object, it calls KMS to create a data key, encrypts your data with that data key (not the master key), and stores the encrypted data key along with the encrypted data.

When you try to download the encrypted files, S3 sees it has been encrypted, asks KMS to decrypt the data key (using the master key), and then uses the decrypted data key to decrypt the data before returning to you. My understanding from the docs and from the way SSE and KMS work is that there is no assumption on the user needing to have access to the master key for that to work -- it suffices that S3 has access to it.

The use case you described is more similar to S3 client-side encryption:

Client-side encryption refers to encrypting data before sending it to Amazon S3.

In this scenario, the S3 client (instead of S3 on the backend) will ask for a KMS data key (derived from the master key), encrypt data client-side and upload it. It will not be possible to decrypt it on the server, and when clients download the (encrypted) files, decryption needs to happen client-side (the S3 client deals with that for you, though).