Ori Wasserman
Reputation: 962
AWS KMS - why do I need the "kms:Decrypt" permission when I try to encrypt data?
I noticed that in both of the following scenarios:
- S3 -
PutObjectto an encrypted bucket. - SQS -
SendMessageto an encrypted queue.
I need to have the kms:Decrypt permission (in addition to the kms:GenerateDataKey permission), otherwise it throws an "unauthorized" exception.
Why would that be the case?
Upvotes: 3
Views: 14139
Answers (1)
Foghorn
Reputation: 2326
From AWS:
The call to kms:Decrypt is to verify the integrity of the new data key before using it. Therefore, the producer must have the kms:GenerateDataKey and kms:Decrypt permissions for the customer master key (CMK).
Upvotes: 7
Related Questions
- A client error (InvalidCiphertextException) occurred when calling the Decrypt operation:
- AWS permissions required to copy and encrypt AMI
- Administrator cannot encrypt/decrypt in AWS KMS
- Error while decrypting file using KMS key in Amazon S3
- Why doesn't AWS KMS encrypt/decrypt need data key?
- ECS cluster cannot use KMS key to decrypt "you are not allowed to access"
- AWS: Cannot encrypt an S3 object using my own KMS key
- What is the purpose of encrypting data at rest with AWS KMS?
- AWS S3 server side encryption using CLI
- AWS S3 client side encryption using KMS - Region being ignored