3

We recently enabled AWS KMS for all of our Amazon S3 buckets which, by default, applies server-side encryption to all files we upload to our own S3 buckets or to S3 buckets owned by someone else.

Is there a way to intentionally "ignore" the default KMS encryption to upload unencrypted files to an S3 bucket owned by a 3rd party? The 3rd party team cannot open any of the files we are sending them. I understand that one solution would be to share the KMS key with the 3rd party but, due to the nature of the relationship, it's better if we only deliver unencrypted files instead of sharing a key.

Here is the Python code I have been using to deliver the files. How can I modify the ExtraArgs parameter to intentionally ignore the default KMS encryption?

from boto3 import client
from boto3.s3.transfer import TransferConfig


client = client('s3', ...)
config = TransferConfig(multipart_threshold=1024 * 25, multipart_chunksize=1024 * 25,
                        max_concurrency=10, use_threads=True)

client.upload_file(filename='test.csv', bucket='my-bucket', key='test.csv',
                   Config=config, ExtraArgs={'ACL': 'bucket-owner-full-control'})
hamzaahmad
  • 133
  • 2
  • 7
  • 1
    This doesn't add up... I can think of no setting that would cause your uploads in to *another account's bucket* to be KMS-encrypted by default... and if the problem were encryption related, "cannot open any of the files" would not be the problem. When S3 manages encryption, you do not have the option to download the encrypted version of the file. If you aren't authorized to access the decryption key, access to the file itself is denied. – Michael - sqlbot Mar 13 '19 at 01:01
  • What is the exact error message that the "3rd party team" receives? – John Rotenstein Mar 13 '19 at 10:25
  • The team had told me that they were not able to "read" the file. This might translate to not being able to download/access the file. They contacted their enterprise AWS support and found out the file was encrypted by a KMS key that I confirmed existed in our AWS account. – hamzaahmad Mar 13 '19 at 15:31

0 Answers0