3

I can not create a SES rule to put emails into a S3 bucket that has encryption enabled (on the bucket).

This could just be that another policy is needed somewhere, or is there something I'm missing about AWS encryption which explains why the above steps failed and why SES has client-side encryption as an option?

Update

I've added a policy (thanks @shonkylinuxuser) to the KMS key that is configured under the bucket's encryption properties (as per AWS doc):

{
  "Sid": "Allow SES to encrypt messages using this master key",
  "Effect": "Allow",
  "Principal": {"Service": "ses.amazonaws.com"},
  "Action": [
   "kms:Encrypt",
   "kms:GenerateDataKey*"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "kms:EncryptionContext:aws:ses:rule-name": false,
      "kms:EncryptionContext:aws:ses:message-id": false
    },
    "StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "1234567890"}
  }
}

EXCEPT: The policy still causes the same error when saving the SES rule. However, if I remove all the "Condition"s, then I can save it successfully?

--

Related: AWS SES Encryption vs S3 bucket encryption

Community
  • 1
eugenevd
  • 419
  • 5
  • 12
  • Haven't tried this but the KMS key used to encrypt s3 may require a policy to to allow the SES service to use it. – shonky linux user Aug 07 '18 at 22:38
  • 1
    @shonkylinuxuser Thanks, that helped. Except, the rule as provided by AWS docs causes the same error unless I remove the Condition section ... ideas? – eugenevd Aug 08 '18 at 09:08
  • 1
    It may be that the [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/services-ses.html#services-ses-encryptioncontext) does not match the conditions in the policy - can you check the encryption context in your CloudTrail logs? – shonky linux user Aug 08 '18 at 21:15

1 Answers1

0

Really late response but just ran into the same issue. I was able to get SSE-KMS working with an update to the KMS key policy to allow S3 access to KMS.

            {
              "Condition": {
                "StringEquals": {
                  "kms:ViaService": "s3.<your s3 bucket region>.amazonaws.com"
                },
                "StringLike": {
                  "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::<your S3 bucket name>/*"
                }
              },
              "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
              ],
              "Resource": "*",
              "Effect": "Allow",
              "Principal": {
                "Service": "ses.amazonaws.com"
              },
              "Sid": "SES Access to CMK for S3 SSE-KMS"
            }

When you use SSE KMS its actually S3 that is accessing the KMS key on behalf of the principal that is performing the put action to the S3 bucket. So this policy allows for S3 to access the KMS key when SES is trying to use the key with S3.

roleyfoley
  • 1