AWS: Decrypt SES/KMS encrypted mails

Question

Today I was playing around with the SES email receiving rule sets. I defined a S3 bucket to save the incoming mails to. I also checked the "Encrypt Message" option with the default KMS master key for SES.

After doing that I realized that I don't know how to decrypt them so I removed the encryption setting.

Now I have some mails I can't open.

Can someone tell me how to do that?

Answer 1

I'll explain what happened.

S3 has two encryption modes (SSE and CSE in short), as defined here:

Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.

Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

SSE is simple for users, as it is transparently handled by S3. CSE becomes a bit trickier, as users/clients need to decrypt data at their end.

Now, SES uses CSE as mentioned here:

Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption.

If you follow the links on the same page, you'll end up here that gives more details on Retrieving and Decrypting Email Messages.