Menu
I am trying to setup replication of encrypted objects to an S3 bucket in a different region. When doing this, I will need to specify one or more KMS keys to be used to decrypt the source object.
I am using the following Terraform script:
replication_configuration {
role = "${aws_iam_role.replication.arn}"
rules {
id = "${var.service}"
prefix = "${var.replication_bucket_prefix}"
status = "Enabled"
destination {
bucket = "${aws_s3_bucket.replication_bucket.arn}"
storage_class = "STANDARD"
replica_kms_key_id = "xxxxx"
}
source_selection_criteria {
sse_kms_encrypted_objects {
enabled = true
}
}
}
}
This script work (it applies), but when checking in the AWS console, no KMS keys are selected for the source object.
Looking at the configuration, I can't see anywhere to specify these keys. The replica_kms_key_id is to specify the KMS key to use for encrypting the objects in the destination bucket.
774
I ran into the same problem when trying to implement a KMS encrypted cross region, cross account replication with terraform.
At some point I noticed that the source KMS key is missing in the configuration (like you did) and added it via the S3 web interface. After doing so, AWS created another policy (without mentioning it anywhere; I found it a day later while doing something else) called something like crr-$SOURCE_BUCKET_NAME-to-$TARGET_BUCKET_NAME and attached it to the replication role. After inspecting that rule, I realised that this is the missing piece to the puzzle.
This is the important part of the policy:
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${var.source_bucket_region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::${var.source_bucket_name}/*"
]
}
},
"Resource": [
"${var.source_kms_key_arn}"
]
},
${var.source_kms_key_arn} is your source KMS key arn.
PS: This issue drove me crazy! (╯°□°)╯︵ ┻━┻
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
