x-amz-server-side-encryption header is not supported for this operation

2
votes

I am running my application in an AWS AMI. The AMI is launched via a cloud formation template that creates AWS::IAM::Role role with sts:AssumeRole. Once the EC2 instance is up, I create an S3 bucket from the Ec2 instance using boto3.create_bucket.

In my application I upload a file to the created bucket with encryption flag on. But while uploading I'm getting an error:

com.amazonaws.services.s3.model.AmazonS3Exception: x-amz-server-side-encryption header is not supported for this operation. (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: 04DD9259D04F92CA), S3 Extended Request ID: EVdqFn6jUNshxUejZFWa6VN/lHPXHyi0F+TG+UZ3K9Sh8Gy0MPABi1AnxZloIajypLb39/5UAVA=

This is the server side encryption part of my code:

    ObjectMetadata meta = new ObjectMetadata();
    meta.setContentLength(contentLength);
    meta.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)

What am I doing wrong? This works as expected when I run my code elsewhere and use an S3 bucket. Is this somehow tied to cloud formation or sts:AssumeRole?

1
amazon-s3boto3aws-java-sdkamazon-cloudformation

1 Answers

1
votes

The Put object function in boto3 has options for setting the object level encryption.

object = bucket.put_object(
    ServerSideEncryption='AES256'|'aws:kms',
    SSECustomerAlgorithm='string',
    SSECustomerKey='string',
    SSEKMSKeyId='string',
)

  • ServerSideEncryption (string) -- The Server-side encryption algorithm used when storing this object in S3 (e.g., AES256, aws:kms). StorageClass (string) -- The type of storage to use for the object. Defaults to 'STANDARD'.

  • SSECustomerAlgorithm (string) -- Specifies the algorithm to use to when encrypting the object (e.g., AES256).

  • SSECustomerKey (string) -- Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm header.> -

  • SSECustomerKeyMD5 (string) -- Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error. Please note that this parameter is automatically populated if it is not provided. Including this parameter is not required

  • SSEKMSKeyId (string) -- Specifies the AWS KMS key ID to use for object encryption. All GET and PUT requests for an object protected by AWS KMS will fail if not made via SSL or using SigV4. Documentation on configuring any of the officially supported AWS SDKs and CLI can be found at http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version)

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html