-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathKMSUsage.txt
62 lines (47 loc) · 2.43 KB
/
KMSUsage.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Creating and using AWS KMS KEY:-
1> create an IAM user who will be accessing the KMS key which we are going to create or fix an existing user
2> goto aws iam console and click (Encryption Keys) https://console.aws.amazon.com/iam/home?region=us-east-2#/encryptionKeys/us-east-1
3> Create Key > Alais(Give name of the key for easy understanding) > Advanced Options(KMS) > Next Step > Add Tag Values > Define Key Usage Permissions (Add the user whom you want to KMS key to be accessed or Add External AWS Accounts by going to advanced) > Preview the policy > Finish
4> Take a note of the KMS ARN and KMS ID with the alias name you created and
Alias: master
KMS ID: 2ef39919-a9b7-44b8-9304-8ca5b7df5bf8
KMS ARN: arn:aws:kms:us-east-1:042147377548:key/2ef39919-a9b7-44b8-9304-8ca5b7df5bf8
5> Create a new Bucket or use an existing one. In the Bucket Policies of the bucket add the below policy (Change "masteri" with the "Bucket name" and "arn:aws:kms:us-east-1:042147377548:key/2ef39919-a9b7-44b8-9304-8ca5b7df5bf8" with the "arn of kms" which was obtained )
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::masteri/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "arn:aws:kms:us-east-1:042147377548:key/2ef39919-a9b7-44b8-9304-8ca5b7df5bf8"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::masteri/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
6> Test the upload to your s3 by uploading a test documnet with the user you gave access
aws s3 cp sourceFile s3://bucketName #(You will Get Access Denied)
example:
aws s3 cp screen.sh s3://masteri
upload failed: ./screen.sh to s3://masteri/screen.sh An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
>Now try with the valid upload command
aws s3 cp /filepath s3://mybucket/filename --sse aws:kms --sse-kms-key-id <key id>
example:
aws s3 cp screen.sh s3://masteri --sse aws:kms --sse-kms-key-id 2ef39919-a9b7-44b8-9304-8ca5b7df5bf8