Reputation: 1656
Server Side Encryption with s3Boto - Server Side Encryption with KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms
I am trying to setup server side encryption on my django app for file uploads. I am using s3Boto3Storage. I can't find clear documentation on how to implement server side encryption, and when trying to upload my file, I get the following error:
An error occurred (InvalidArgument) when calling the PutObject operation: Server Side Encryption with KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms
Here is what my settings look like:
AWS_ACCESS_KEY_ID = 'XXXX'
AWS_SECRET_ACCESS_KEY = 'XXXX'
AWS_STORAGE_BUCKET_NAME = 'tickets'
AWS_S3_ENDPOINT_URL = 'https://sfo2.digitaloceanspaces.com'
AWS_S3_FILE_OVERWRITE = False
AWS_S3_OBJECT_PARAMETERS = {
'CacheControl': 'max-age=86400',
}
AWS_LOCATION = ''
AWS_DEFAULT_ACL = None
AWS_S3_ENCRYPTION = True
STATIC_URL = 'https://%s/%s/' % (AWS_S3_ENDPOINT_URL, AWS_LOCATION)
STATICFILES_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
DEFAULT_FILE_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
Upvotes: 0
Views: 1309
Answers (1)
Reputation: 41
I believe this is telling you that you need to include the 'x-amz-server-side-encryption : aws:kms' header somewhere here - possibly in your AWS_S3_OBJECT_PARAMETERS dict.
If you are trying to use a custom CMK to encrypt, you'll need to structure the additional headers like this:
"ServerSideEncryption": "aws:kms" # This value instructs the request to use a CMK for
# server-side encryption, and requires you to pass your custom CMK id to the value
# for the next param, 'SSEKMSKeyId'.
# The other acceptable value is AES256, which uses the AWS S3 SSE to encrypt, and not a CMK.
"SSEKMSKeyId": "<your kms cmk key id goes here>" # This is the id of your custom CMK.
# This is not required if you set "ServerSideEncryption": "AES256" above.
The relevant documentation, which I didn't get at first either:
x-amz-server-side-encryption The Server-side encryption algorithm used when storing this object in S3 (e.g., AES256, aws:kms). Valid Values: AES256 | aws:kms
x-amz-server-side-encryption-aws-kms-key-id If the x-amz-server-side-encryption is present and has the value of aws:kms, this header specifies the ID of the AWS Key Management Service (AWS KMS) master encryption key that was used for the object.
If the value of x-amz-server-side-encryption is aws:kms, this header specifies the ID of the AWS Key Management Service (AWS KMS) master encryption key that will be used for the object. If you specify x-amz-server-side-encryption:aws:kms, but do not provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the default AWS KMS key to protect the data.
The S3 PUT documentation is here: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html
Upvotes: 1
Related Questions
- Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4
- botocore.exceptions.ClientError : Client Side KMS Encryption
- boto3 Client Error: Server Side Encryption with Customer provided key is incompatible with the encryption method specified
- AWS Boto S3 API read KMS encrypted keys
- How to use client side encryption with Python
- aws s3 - object has no attribute 'server_side_encryption'
- AWS S3 server side encryption using CLI
- What is the correct way of passing S3 headers inside Django?
- boto encryption key with amazon s3
- Django/S3/Boto: How do I encrypt files?