4

I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?

It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.

Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?

DJ Tarazona
  • 191
  • 1
  • 6
  • Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would *want* to solve. – Michael - sqlbot May 13 '16 at 21:45
  • @Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted. – DJ Tarazona May 13 '16 at 22:46

1 Answers1

0

You need to configure your AWS Signature Version, e.g.

aws configure set default.s3.signature_version s3v4

or for the specific profile:

aws configure set profile.<profilename>.s3.signature_version s3v4

Then re-try, e.g.

aws s3 cp s3://rkbtest/check.png ./

Source: aws/aws-cli/issues/1006 at GitHub.

If using curl/wget command, you need to add extra Authorization header in your request, e.g.

GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000

Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=

Syntax: Authorization: AWS AWSAccessKeyId:Signature.

See: Signing and Authenticating REST Requests.

kenorb
  • 5,943
  • 1
  • 44
  • 53