Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encrypted bucket notifications from S3 to SQS

Tags:

amazon-web-services

amazon-s3

amazon-sqs

aws-kms

How can I set up S3 bucket notifications to a queue in SQS where KMS are used on both the bucket and the queue?

  • I have a bucket in S3 where the contents are encrypted with an AWS Managed Key (the aws/s3 default key).
  • I have a queue in SQS where SSE (server-side encryption) is enabled, but using a CMK (Customer-Managed Key).

When I go into the S3 web console and try adding a notification event on my bucket that sends to my queue in SQS, I am presented with this error message:

Unable to validate the following destination configurations. The message to the SSE queue could not be encrypted using KMS. (arn:aws:sqs:ca-central-1: ... : ...)

I've already tried configuring my KMS Key Policy to give the S3 service account the permissions it needs.

        {
            "Sid": "Let S3 encrypt messages so that bucket notifications can be encrypted",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt"
            ],
            "Resource": "*"
        },

What do I need to do in order to allow bucket notifications onto an encrypted queue?

like image 772
Nic Avatar asked May 04 '20 23:05

Nic

People also ask

Can S3 send notification to SQS?

Sends notifications from S3 to SQS when an object is created. This SAM template creates an S3 bucket and SQS queue. S3 writes a messages to the SQS queue when a new object is put into the bucket.

Can S3 write to SNS?

You must grant the Amazon S3 principal the necessary permissions to call the relevant API to publish messages to an SNS topic, an SQS queue, or a Lambda function. This is so that Amazon S3 can publish event notification messages to a destination.

Are SQS messages encrypted?

Amazon SQS server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to encrypt each message body. The integration with AWS Key Management Service (KMS) allows you to centrally manage the keys that protect SQS messages along with keys that protect your other AWS resources.

1 Answers

According to the documentation, the second action should be kms:Decrypt instead of kms:Encrypt.

It's a bit counter-intuitive as to why kms:Decrypt is needed. You might be thinking that since the SQS queue is encrypted, so when the S3 service calls the SendMessage API, it needs the kms:Encrypt permission to ensure that the message can be encrypted by the KMS service, right? Not quite, and here is why:

  1. The message is not encrypted directly by the master key (CMK). Instead, it uses envelope encryption, and the data is encrypted by the data key. Why? Because the maximum size of the data that a symmetric CMK can encrypt using the Encrypt API is 4096 bytes, while the size of a message that the SQS service supports can be far greater than 4KB. Therefore, kms:Encrypt is not needed, and instead, kms:GenerateDataKey is required to generate the data key which is used to encrypt the SQS message.

  2. In the section "Configure KMS permissions for producers" of this AWS doc, it explains why kms:Decrypt is needed.

The call to kms:Decrypt is to verify the integrity of the new data key before using it.

To be abundantly clear, the GenerateDataKey API returns both the plaintext data key and the encrypted copy of the data key. The plaintext data key is used to encrypt the SQS message and the encrypted data key will be stored along with the message in the queue. The only way to verify that the encrypted data key is indeed the ciphertext of the plaintext data key is that the service needs to have the kms:Decrypt permission to decrypt the ciphertext and make sure the output is exactly the same as the plaintext data key returned in the GenerateDataKey API response.

like image 164
jellycsc Avatar answered Oct 22 '22 16:10

jellycsc
Sign in to Comment

Related questions

AWS Lambda Polling from SQS: in-flight messages count
How to add a Fargate Service to Inbound Security Rules?
AWS CodePipeline, CodeDeploy, SAM and Lambda: how to (inter)connect those?
Aurora PostgreSQL engine: no space left on device
How to set AWS Appsync request timeout limit || AWSAppSync Client not giving callback
AWS Lambda: async C# handler
With AWS SageMaker, is it possible to deploy a pre-trained model using the sagemaker SDK?
Lambda authorizer response using async/await in Node.js
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
How to run Tabler in production
What does 'Box-Usage' mean in AWS? [closed]
AWS Lambda vs EC2: Which one to choose
How to use an S3 uri?
Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster
Enable object logging on s3 bucket via cloudformation
Search through values of all AWS Lambda function's environment variables in AWS account
Capistorano deploy SSHKit::Runner::ExecuteError : rake exit status: 1
aws eks create cluster error - us-east-1e does not currently have sufficient capacity to support the cluster [closed]
Need to make an identical copy of AWS IAM role (including policies and trust relationship it has)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!