18

I want to upload a file from local machine to s3 with kms encryption . I have been using the following command:

    aws s3 cp /filepath s3://mybucket/filename --sse-kms-key-id <key id>

it shows the following error " error occured:when calling the PutObject operation: Server Side Encryption with AWS KMS managed key requires HTTP header x-amz -server-side-encryption : aws:kms" What could possibly be causing this error?

vishal
  • 1,646
  • 5
  • 28
  • 56

2 Answers2

40

It looks like you're missing the --sse aws:kms flag. You're likely looking for something like

aws s3 cp /filepath s3://mybucket/filename --sse aws:kms --sse-kms-key-id <key id>

Check out aws s3 cp options for more details.

Jamie Starke
  • 8,776
  • 3
  • 38
  • 58
  • it is showing "aws:kms" as unknown option. I've already viewed the cp command documentation and there is no clear explanation for what i'm looking. is there any other way? – vishal Oct 24 '17 at 05:44
  • 2
    What do you get for `aws -v`? – Jamie Starke Oct 24 '17 at 12:10
  • it shows as unknown option. i don't think there is an " aws -v "command at all. look at the below link. http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html in this document it has been mentioned as u cant get or put an object that has kms encryption and can only be done by sigv4 or ssl. u have any idea of how to use sigv4 in the cli. it would be helpful. Thank you – vishal Oct 25 '17 at 04:00
  • Sorry, my mistake, `aws --version`? – Jamie Starke Oct 25 '17 at 04:01
  • aws-cli/1.11.132 Python/2.7.12 Linux/4.9.51-10.52.amzn1.x86_64 botocore/1.5.95 it shows this one – vishal Oct 25 '17 at 04:03
  • Bizaar, this functionality was merged in back in 2015 (https://github.com/aws/aws-cli/pull/1623) – Jamie Starke Oct 25 '17 at 04:14
  • when I added "aws:kms" the second part of the error in my question has gone. the first part alone stands (PUTobject error). I've already looked at the link you have mentioned and I have also enabled signature v4 by the command they have mentioned but still I'am unable to upload or download. is there any other mistake on my part? Thanks for your time. – vishal Oct 25 '17 at 04:27
  • 1
    Oh, so now we're down just to the `error occured:when calling the PutObject ` part? Alright, so now it's time to make sure that whatever user you're using has access to both `s3:PutObject` on the `arn:aws:s3:::/*` and also `kms:Decrypt` and `kms:DescribeKey` for the KMS Key you're using. – Jamie Starke Oct 25 '17 at 04:44
  • bro Thanks a lot !!!!!!! you're a genius. finally uploaded it. I had the default aws kms full access policy attached to my instance but it was missing "kms:Decrypt" once I added it, it got uploaded.Thank a lot bro!!!! – vishal Oct 25 '17 at 05:09
  • Haha, ok, I think I had a typo in there, I meant to do `kms:Encrypt`, but if it's working, don't mess with a good thing. If it solves you problem, mind accepting the answer? – Jamie Starke Oct 25 '17 at 05:32
  • did it bro. I added "kms:* " in the policy so it must have included all the actions – vishal Oct 25 '17 at 05:47
  • @JamieStarke is this suppose to do client side encryption? Because I uploaded the file using the snippet you provided, and then I just fetched it using `aws s3 cp`, and the content was unencrypted ... – Kousha Apr 24 '18 at 17:47
  • If you're using KMS encryption (which my example includes) encryption and decryption are handled by S3. If you have permission to decrypt, it will be done on your behalf. If you don't, you won't be able to download either. – Jamie Starke Apr 26 '18 at 03:33
  • this is also useful when you want to encrypt the files with a different key than they came with, e.g. to match the bucket – Ron U Nov 10 '22 at 06:20
-5

I just did this and it worked well, using the AWS S3 Master key:

aws s3 cp myfile.txt s3://mybucketname/ --sse AES256

Based on reading this about encrypting sensitive data stored on s3.

Ishaan Javali
  • 1,711
  • 3
  • 13
  • 23
Mike Behr
  • 43
  • 4