Enforcing S3 Encryption Using Bucket Policies

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Learning important Key Management Service (KMS) terms
lock
Creating a Customer Master Key (CMK)
lock
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
lock
Enforcing S3 Encryption Using Bucket Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

While it is useful to know how to encrypt individual objects using S3 it is often also required to enforce that all objects are encrypted in S3. Furthermore, you may require a specific encryption method and, when using SSE-KMS, a specific CMK. S3 bucket policies are the provided way for you to enforce encryption requirements of S3 buckets. You will implement a bucket policy that requires SSE-KMS to be used for all objects put in the bucket as well as the specific CMK to use for encryption.

Note: The policy should be enforced when the bucket is created since existing objects in a bucket will not be encrypted when the policy is applied (this is also true of setting the default encryption for a bucket).

 

Instructions

1. In the S3 bucket console, click the Permissions tab followed by Bucket Policy to open the Bucket policy editor:

Bucket policies are IAM policies applied to a bucket rather than to a user or role as is conventionally done with IAM policies. Similar to how a key policy applied to the CMK. These are examples of resource-based policies in AWS.

 

2. Paste the following bucket policy into the policy editor:

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "Version": "2012-10-17",
    "Id": "RequireSSEKMS",
    "Statement": [
        {
            "Sid": "DenyUploadIfNotSSEKMSEncrypted",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<Your_Bucket_Name>/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        }
    ]
}

This policy denies ("Effect": "Deny") all users' ("Principal": "*") uploads ("Action": "s3:PutObject") to the bucket ("Resource": "arn:aws:s3:::<Your_Bucket_Name>/*") if the s3:x-amz-server-side-encryption is not set to aws:kms, which corresponds to SSE-KMS. The lab provides you with the policy but you could recreate it using the policy generator linked to beneath the policy editor.

 

3. Replace <Your_Bucket_Name> with the name of your lab bucket (it begins with cloudacademylabs-ssekms- and can be copied from the S3 console):

alt

 

4. Click Save changes to save the policy and have it start being enforced.

 

5. Click the Objects tab followed by Upload.

 

6. Click Add files and select a small file, or download this sample file and select it.

 

7. Click Upload and observe the image does not appear in the bucket contents table.

Clicking upload without configuring any properties of the object uses the default of no encryption.

alt

You can see the upload Failed

 

8. Retry the upload but this time use the Set properties step to configure Encryption to AWS KMS master-key using your CMK.

The upload now succeeds since the bucket policy condition is satisfied:

alt

The policy does not require the use of your CMK however, so the default S3 KMS key in the region is also allowed. You can change the policy condition to enforce a specific CMK is used.

 

Summary 

In this lab step, you configured an S3 bucket policy to require SSE-KMS encryption of any new objects uploaded to the bucket. Currently, clients are required to explicitly configure the SSE-KMS properties of the object. If you prefer to automatically set the SSE-KMS properties, you can set the bucket's default encryption properties accordingly. If a client tries to override the default encryption to use a different encryption method (unencrypted or SSE-S3) the upload will fail.

 

Challenge (Optional)

If you have time remaining in your lab session and you have already passed the validation check, try to modify the policy so that only a specific CMK can be used to upload objects to the lab bucket. Use this quote from AWS documentation to assist you:

To require that a particular AWS KMS CMK be used to encrypt the objects in a bucket, you can use the s3:x-amz-server-side-encryption-aws-kms-key-id condition key. To specify the AWS KMS CMK, you must use a key Amazon Resource Name (ARN) that is in the "arn:aws:kms:region:acct-id:key/key-id" format.

 

 

Solution to Challenge

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "Version": "2012-10-17",
    "Id": "RequireSSEKMSWithSpecificCMK",
    "Statement": [
        {
            "Sid": "DenyIfNotSpecificCMK",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<Your_Bucket_Name>/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:<Lab_Account_ID>:key/calabs-CMK-key"
                }
            }
        }
    ]
}

The CMK ARN can be found in the Customer Managed Keys view in the KMS Console. An example of a CMK ARN is arn:aws:kms:us-west-2:123456789012:key/bee0cfa3-b5ab-48cd-846e-263f0becba1c.

Validation checks
1Checks
Bucket Policy Applied to S3 Bucket

Check if the policy has been applied to the S3 bucket

Security for AWSAmazon S3