I am trying to use a kms key alias in a bucket policy

0

I am using the following bucket policy:

{ "Version": "2012-10-17", "Id": "Policy1566337631537", "Statement": [ { "Sid": "Stmt156", "Effect": "Deny", "Principal": "", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::jmalacho-test-bucket23/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-2:123456789012:alias/ExampleAlias" } } } ] }

Then when I try to upload a file using the CLI I get an Access Denied error.

aws s3 cp notes.txt s3://jmalacho-test-bucket23/notes.txt --sse aws:kms --sse-kms-key-id alias/ExampleAlias

If I use the key-id arn, the pollicy works. Is it not possible to use an key-alias in a bucket policy?

Thanks

jmalacho

Posted 2019-08-21T00:32:27.450

Reputation: 1

Answers

0

The documentation suggests that you cannot.

Amazon S3 also supports the s3:x-amz-server-side-encryption-aws-kms-key-id condition key, which you can use to require a specific KMS key for object encryption. The KMS key you specify in the policy must use the arn:aws:kms:region:acct-id:key/key-id format.

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

An alias would not be consistent with the concept of requiring "a specific KMS key" as mentioned above, since an alias does not refer to a specific key, except transiently while the alias happens to point to the key.

Also:

You can use an alias as the value of the KeyId parameter only in the following operations:

  • DescribeKey

  • Encrypt

  • GenerateDataKey

  • GenerateDataKeyWithoutPlaintext

  • ReEncrypt

https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html

Michael - sqlbot

Posted 2019-08-21T00:32:27.450

Reputation: 1 103

Asked: 2019-08-21T00:32:27.450

Viewed: 379 times

Active: 2019-08-21T23:29:00.253