Skip to content

S3 KMS Policies

Granting encrypt and decrypt permissions to users or roles.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
{
    "Sid": "Allow users or roles to use KMS to S3.",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>"
}

Requiring server-side encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
   "Version":"2012-10-17",
   "Id":"PutObjectPolicy",
   "Statement":[{
         "Sid":"DenyUnEncryptedObjectUploads",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::<bucket name>/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-server-side-encryption":"aws:kms"
            }
         }
      }
   ]
}

If you want to upload using sse-kms, please see this documentation.

aws s3 cp ./2022-11-03_14:11:49 s3://samsung-kms-test --sse aws:kms

AWS Documentation

S3 Replication Policies

KMS Policies

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{
   "Sid": "AllowS3ReplicationSourceRoleToUseTheKey",
   "Effect": "Allow",
   "Principal": {
         "AWS": "arn:aws:iam::<account id>:role/service-role/<s3 replication role name>"
   },
   "Action": [
         "kms:GenerateDataKey",
         "kms:Encrypt",
         "kms:Decrypt"
   ],
   "Resource": "*"
},
{
   "Sid": "AllowS3ReplicationDestinationRoleToUseTheKey",
   "Effect": "Allow",
   "Principal": {
         "AWS": "arn:aws:iam::<account id>:role/service-role/<s3 replication role name>"
   },
   "Action": [
         "kms:GenerateDataKey",
         "kms:Encrypt",
         "kms:Decrypt"
   ],
   "Resource": "*"
}

Note

You should update policies both key(source and destination).