Please explain who will request KMS Keys when we upload object to S3.Is it uploader or S3 itself ?
If S3 have to deal with the KMS it has to assume a role.
Or is S3 mention the uploader in the API request ?
Related
A little bit of context, we would like to use AWS SSE-KMS on our S3 bucket to encrypt our plaintext object uploads. I'm planning to only allow these permissions to an IAM role only used by our ec2 instances
kms:GenerateDataKey
kms:Decrypt
What would normal users using our AWS account see when downloading objects from our bucket? Would the objects be encrypted since they don't have KMS permissions? Are they able to download these objects at all?
Thanks
Is it possible to use presigned urls to upload files directly to AWS S3 bucket with KMS encryption?
Looks like it's not possible, but maybe I missed something.
We are able to put objects into our S3 Bucket.
But now we have a requirement that we need to put these Object directly to an S3 Bucket which belongs to a different account and different region.
Here we have few questions:
Is this possible?
If possible what changes we need to do for this?
They have provided us Access Key, Secret Key, Region, and Bucket details.
Any comments and suggestions will be appreciated.
IAM credentials are associated with a single AWS Account.
When you launch your own Amazon EC2 instance with an assigned IAM Role, it will receive access credentials that are associated with your account.
To write to another account's Amazon S3 bucket, you have two options:
Option 1: Your credentials + Bucket Policy
The owner of the destination Amazon S3 bucket can add a Bucket Policy on the bucket that permits access by your IAM Role. This way, you can just use the normal credentials available on the EC2 instance.
Option 2: Their credentials
It appears that you have been given access credentials for their account. You can use these credentials to access their Amazon S3 bucket.
As detailed on Working with AWS Credentials - AWS SDK for Java, you can provide these credentials in several ways. However, if you are using BOTH the credentials provided by the IAM Role AND the credentials that have been given to you, it can be difficult to 'switch between' them. (I'm not sure if there is a way to tell the Credentials Provider to switch between a profile stored in the ~/.aws/credentials file and those provided via instance metadata.)
Thus, the easiest way is to specify the Access Key and Secret Key when creating the S3 client:
BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id");
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCreds))
.build();
It is generally not a good idea to put credentials in your code. You should load them from a configuration file.
Yes, it's possible. You need to allow cross account S3 put operation in bucket's policy.
Here is a blog by AWS. It should help you in setting up cross account put action.
I have two AWS accounts. Each account has an S3 bucket and CloudFront which exposes the contents of the S3 bucket.
I would like to get rid of a CORS issue.
For that I I need to serve all content using one CloudFront.
How I can grant permissions to the S3 bucket from account2 to CloudFront in account1?
This is possible if the bucket is publicly accessible , the bucket won't come in the drop down when you're creating origin but you can use the name as bucket.s3.region.amazonaws.com.
It is also possible using origin access identity. Use first your own bucket to create the bucket policy automatically by CloudFront, you should be able to see IAM identity in CloudTrail, you can copy the same policy on the other account S3 bucket and OAI should work.
I create an IAM user and attach AWS default AmazonS3FullAccess policy to this user.
For the S3 part, I grant the upload/delete permission as well.
I can upload file to my S3 bucket using the user's access key and secret key by python boto. However, I cannot delete the object I just uploaded. The response is always Access Denied.
Does anyone know what is going on?