I am trying to upload object to s3 bucket, encrypted with ONLY a specific KMS key. I have created a policy with separate deny conditions, but it does not seem to work. Can somebody suggest where could I be going wrong?
I tested this policy with AWS CLI -
aws s3api put-object --bucket test-buck --key testimage.jpg --body testimage.jpg --ssekms-key-id arn:aws:kms:us-east-1:account-id:key/NOT-MY-key-id --server-side-encryption aws:kms
And I'm able to upload testimage.jpg using another key from my account, despite below deny statements.
The same policy works if I give it in Bucket policy, but here I want the policy to be assigned to my Role used by s3.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-buck/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-buck/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:<account-id>:key/<my-default-kmskey-id>"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::test-buck/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Also, how can I test if NON ssl-requests are being denied? I can not use aws cli because I think it uses SSL when communicating with AWS services by default.
Thanks in advance.
