As you aware of that s3 supports only None,SSE-s3 & SSE-KMS encryption of object at rest. However if you want to allow only encrypted object during file upload, then this article is for you.
To know more about different types of encryption in s3, refer (link)
You may use AWS CLI, SDK’s and s3UI to upload an object into s3. The topic to discuss for this article are as follows
- Configure Bucket Policy
- Verify File upload Process
Configure Bucket Policy
You might have a different policy configured in your bucket. So you could either modify your existing policy with a condition or add a new policy on your bucket containing the server-side encryption. Here, we would create a new policy and would apply on an existing s3 bucket.
1. Sign in to AWS Management Console (link) and open s3 Service
2. Create a new Bucket
Refer to (link) to create a Bucket in s3
3. Copy the Bucket ARN
4. Select and Click on your Bucket and go to Permissions
3. Click on Bucket Policy and generate a policy with Policy Generator
6. In Policy generator, Select below options
In Actions, select PutObject as we are going to test with file upload operation only for now in s3
Now, click on Add Conditions to apply the condition in your bucket policy
Condition 1 – In first condition, provide details for Condition, Key, Value
In condition you need to specify type of condition and Key. The Key would be specific to your service operation. In this case it would be server-side encryption and the value is your corresponding Key’s value which is AES256 and click on Add Statement
For, s3:x-amz-server-side-encryption: “AES256”, the file upload would success.
Condition 2 – For Key server-side-encryption the value is True which means the the upload would deny for encryption type as None
For, s3:x-amz-server-side-encryption: “True”, the file upload would fail. Click on Add Statement to proceed for next step
Click on Generate Policy
7. Copy the Policy and add it to your Bucket policy and Save it
{
"Id": "Policy1576350601579",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1576350173119",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::<your-bucket>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
},
"Principal": "*"
},
{
"Sid": "Stmt1576350206882",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::<your-bucket>/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "True"
}
},
"Principal": "*"
}
]
}
Verify File upload Process
You’re done with your Bucket policy configuration. Now, Lets test the file upload process with three different cases. As per Policy Configuration, the File upload should pass only for server-side-encryption SSE-s3 and rest operations should fail.
Case 1 – Upload an Object with Encryption type as None
As expected, the file operation is failed.
Case 2 – Upload an Object with AWS KMS Master Key (SSE-KMS)
As we did not configure the policy for KMS Master Key, the file upload would deny for this server-side-encryption.
Case 3 – Upload an object with AWS s3 Master Key (SSE-s3)
The file upload operation is succeed for AES256. So we are good with the bucket policy configuration. Now your bucket would allow file successful upload operation only for s3 master key.
Please comment below if you have any comments/concerns related to this blog.