Non default master key Server Side Encryption KMS support

[mubeta06]

Currently the buildkite agent KMS support is limited to (as per the environment script)

aws s3 cp --sse aws:kms source destination

which ends up employing the default master key for the S3 service, i.e. the key that is used to encrypt S3 objects when no other key is defined.

It would be ideal to make use of an explicit kms key id issued exclusively for buildkite agent purposes. Something like

aws s3 cp --sse-kms-key-id arn:aws:kms:ap-southeast-2:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9

where the arn for the key could be passed in as a parameter to the Cloudformation template for the stack.

[lox]

Sounds like this would make for a sensible default, along with creating a dedicated key in the cloudformation stack.

I wonder what the behaviour of changing the KMS key associated with already SSE encrypted files is.

[mubeta06]

Just my 2 cents worth. I think S3 default master key encryption as it is implemented today makes for a sensible default, the additional ability to specify as a parameter the arn of a kms key to the CF template for the stack would be slick.

[lox]

Yup, on reflection, I agree.

[ReshuS]

Hi,
aws s3 cp --sse-kms-key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
when I execute the above command am getting the following error.
-- when calling the put object operation: Server side encryption with aws kms managed key requires http header x-amz-server-side-encryption:aws:kms

How can i overcome this issue? pls help me with this.

[gugahoi]

@ReshuS I believe you need to specify: --sse aws:kms too

[ReshuS]

@gugahoi ya, Thank you! Its working now... :-)

[sushilvarma2]

When I am running this command facing following error:
aws s3 cp --sse=aws:kms --sse-kms-key-id kms-id-value file-to-be-copied.text s3://bucketname/.
error:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied.

[lox]

I hate to ask, but you're using your bucket name, not bucketname, right @sushilvarma2?

[sushilvarma2]

yah that is right. that is just for reference.

[lox]

Do you have permission to write to that bucket?

…

Sent from my iPhone

On 8 Sep 2017, at 5:31 pm, sushilvarma2 ***@***.***> wrote: yah that is right. that is just for reference. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[sushilvarma2]

Yah, I assigned S3, KMS role to the user.

It works without any issue when I am using default KMS ID and not even providing kms id. Just simple copy to S3 bucket.

I have also used this option, as advised in aws documentation.
aws configure set default.s3.signature_version s3v4.

I have tried both these policies also to the bucket but no help:

{
"Version": "2012-10-17",
"Id": "Policy1504851851295",
"Statement": [
{
"Sid": "Stmt1504851844388",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:user/testuser1"
},
"Action": "s3:",
"Resource": "arn:aws:s3:::bucketname/",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}
2nd time:
{
"Version": "2012-10-17",
"Id": "Policy1504851851295",
"Statement": [
{
"Sid": "Stmt1504851844388",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxxx:user/testuser1"
},
"Action": "s3:",
"Resource": "arn:aws:s3:::bucketname/"
}
]
}

[sushilvarma2]

This issue got resolved by adding user into "key users" section in encryption key. Earlier I have added this user only into "Key Administrator" section. Thanks everyone.

[vivek9018]

Thanks a lot everyone, I had been breaking my head since yesterday, found this post, it worked.
Case: to copy data using aws cli from sse encrypted bucket to custom kms key encrypted bucket.