Unable to download files from S3 after KMS encryption

Question

Using terraform I am able to create S3 bucket with KMS encryption enable. But When I try to download any file from S3 KMS enabled bucket, it fails to download saying Access Denied

Error logs:-

download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

main.tf

resource "aws_s3_bucket" "s3_bucket_two" {
  bucket = "dev-analytics-data"
#  bucket = "services-${lookup(var.aws_account_id, terraform.workspace)}-cicd-storage"
  acl    = "${var.acl}"
  versioning {
    enabled = "${var.enable_versioning}"
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${data.terraform_remote_state.kms_s3.key_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

IAM Policy used :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345678910:role/iam_role_devops_engineer",
                    "arn:aws:iam:: 12345678910:role/EMR_AutoScaling_DefaultRole",
                    "arn:aws:iam:: 12345678910:role/EMR_DefaultRole",
                    "arn:aws:iam:: 12345678910:user/iam_user_cng_jenkins",
                    "arn:aws:iam:: 12345678910:role/iam_role_sftp",
                    "arn:aws:iam:: 12345678910:role/iam_role_jenkins_user",
                    "arn:aws:iam:: 12345678910:role/EMR_EC2_DefaultRole"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::services-12345678910-cicd-storage",
                "arn:aws:s3:::services-12345678910-cicd-storage/*"
            ]
        }
    ]
}

I also tried uploading via aws cli but still failed.

aws s3 cp --sse aws:kms --sse-kms-key-id arn:aws:kms:eu-central-1:1234567890:key/123asdps-as34-as23-asas-aslkui98393 spark-sql-kinesis_2.11-2.3.1.jar s3://services-1234567890-cicd-storage/tesie_jars/

See the 'Object is encrypted by AWS KMS' section at https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/ — jarmod, Jan 21 '19 at 21:53

score 6 · Answer 1 · answered Jan 21 '19 at 20:02

You need to grant access to the KMS key in your IAM policy.

I'm not 100% sure of the permissions you need, but start with these (I happen to know this set works, because I copied it from a working policy, but it may include permissions that aren't needed):

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:GetKeyPolicy",
        "kms:ListGrants",
        "kms:ListKeyPolicies",
        "kms:ListRetirableGrants",
        "kms:ReEncryptFrom",
        "kms:ReEncryptTo"
    ],
    "Resource": "arn:aws:kms:REDACTED:REDACTED:key/REDACTED"
},
{
    "Effect": "Allow",
    "Action": [
        "kms:GenerateRandom",
        "kms:ListAliases",
        "kms:ListKeys"
    ],
    "Resource": "*"
}

When downloading a KMS encrypted file, you simply need access to "kms:Decrypt" — Deiv, Jan 22 '19 at 21:46

score 0 · Answer 2 · answered Jan 21 '19 at 19:05

0

You mention you can not retrieve the object AFTER encryption; can you retrieve an object at form the same bucket without encryption? I ask because encryption is not access control; it is read control. Access control lists (ACL) are access control.

answered Jan 21 '19 at 19:05

David J Eddy

1,999
1
19
37

Yes, I was able to access the S3 bucket before KMS encryption. I used default encryption earlier(AES-256). – asur Jan 21 '19 at 19:12

Unable to download files from S3 after KMS encryption

2 Answers2