Reputation: 33
"Unsupported Encryption Type" in S3 Batch Operations
I'm setting up batch operations on my bucket and running into an issue (permissions-based, I believe) when the operation tries to access an encrypted manifest file.
I've set up a manifest.csv file that accurately lists the files to operate on. I'm trying to invoke a lambda function upon those files. However, every time the operation runs, it returns:
"Unsupported encryption type used: SSE_KMS"
I believe it is some sort of access that needs to be defined so I tried loosening the restrictions on my IAM policies and role to see if it would help and it didn't. I tried looking for documentation on KMS keys with batch operations but found none.
Role I'm using is S3-Related Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Role Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"batchoperations.s3.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
KMS Key Access Policy:
{
"Sid": "Allow use of the key.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account #>:role/<Role Name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
I feel like I'm just missing something. Can anybody catch anything I missed?
The batch operations should be able to access an encrypted manifest.csv file.
Addition:
It fails before I can even run it.
Upvotes: 1
Views: 3519
Answers (3)
Reputation: 101
Custom KMS encrypted CSV file in S3 Batch Operations is not accepted in S3 Batch Operations.
But S3 Inventory Report's KMS encrypted manifest.json is accepted in S3 Batch Operations.
I tried to place custom KMS Encrypted CSV File in the format of S3 Inventory Report and tried if it actually works or not. I found out it works actually.
I have documented the same in Workaround for S3 Batch Ops CSV Manifest File KMS Restriction.
Upvotes: 0
Reputation: 61
SSE_KMS is currently (as of 26/05/2021) not supported on the manifest:
Upvotes: 5
Reputation: 3097
This isn't a policy issue, but actually just an issue with the value you're sending as SSE_KMS is invalid. As mentioned in the documentation:
x-amz-server-side-encryption Specifies the server-side encryption algorithm to use when Amazon S3 creates an object.
Type: String
Valid Value: aws:kms, AES256
For KMS encrytpion, you should be using aws:kms as the value you send through (send it as a string). I don't know what language your Lambda is in, but you can take a look at the appropriate SDK for it (here's the one for node.js, you can see under putObject properties ServerSideEncryption: AES256 | aws:kms)
Upvotes: 0
Related Questions
- S3 Batch Operations - "Reading the manifest is forbidden: Access Denied"
- aws cli put-bucket-encryption command fails with validation error for BucketKeyEnabled param
- AWS S3 Server side encryption Access denied error
- AWS S3 batch operation gets access denied
- Error while enabling server side encryption policy for aws s3 bucket through cli
- AWS s3 bucket bulk encryption on all s3 buckets
- Decryption of encrypted S3 file using aws-encryption-cli --decrypt
- AWS S3 server side encryption using CLI
- Error uploading S3 Object with Server Side Encryption using Amazon KMS
- how to resolve Exception in thread "main" com.amazonaws.AmazonClientException: Unable to build cipher: Illegal key size using aws s3