Require KMS encryption with specific key ID in S3 bucket policy

3
votes

I'm trying to require all objects put into a bucket to be encrypted with a specific KMS key. I've managed to require KMS encryption, but the key specification does not work. Here is the current policy I have (sans real bucket names and ids):

{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyInsecureCommunications",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket1,
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms",
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-central-1:123456789:key/12345-123-notmy-keyid-1234566"
                }
            }
        },

        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

This correctly denies uploads without any sever-side encryption specified, but it still allows using the default s3 key.

1
amazon-web-servicesencryptionamazon-s3aws-kms

1 Answers

5
votes

If there are multiple condition operators, or if there are multiple keys attached to a single condition operator, the conditions are evaluated using a logical AND.

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition

This suggests that the dual-condition policy would only deny if both strings are not equal (that is, if encryption isn't used and the key-id is wrong).

Separating the tests for s3:x-amz-server-side-encryption and s3:x-amz-server-side-encryption-aws-kms-key-id into two separate Deny policy statements should be the fix.