Open aldy120 opened 1 year ago
可以用指令 aws s3api head-object --bucket --key
來看加密 object 加密的資訊。包括有沒有使用 bucket key 。
x-amz-server-side-encryption The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).
Valid Values: AES256 | aws:kms
x-amz-server-side-encryption-aws-kms-key-id If present, specifies the ID of the AWS Key Management Service (AWS KMS) symmetric encryption customer managed key that was used for the object.
x-amz-server-side-encryption-bucket-key-enabled Indicates whether the object uses an S3 Bucket Key for server-side encryption with AWS KMS (SSE-KMS).
x-amz-server-side-encryption-customer-algorithm If server-side encryption with a customer-provided encryption key was requested, the response will include this header confirming the encryption algorithm used.
x-amz-server-side-encryption-customer-key-MD5 If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide round-trip message integrity verification of the customer-provided encryption key.
完全沒加密 aws s3api head-object --bucket dub-bucket-20201110 --key test.txt { "AcceptRanges": "bytes", "LastModified": "2022-10-09T16:30:53+00:00", "ContentLength": 7296, "ETag": "\"7c9c53784254d2d01f838ad6861eadb0\"", "ContentType": "text/plain", "Metadata": {} }
Bucket 啟用 default encryption 之後。設定為 custom KMS key ,並開啟 bucket key 。
先上傳一下,上傳時不帶 encryption 資訊。發現預設的 kms key 有被加上,也有被標記為使用了 bucket key 。
aws s3 cp test.txt s3://dub-bucket-20201110/default-encryption.txt
aws s3api head-object --bucket dub-bucket-20201110 --key default-encryption.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-03-08T19:36:15+00:00",
"ContentLength": 4,
"ETag": "\"c2513c5ec29f3262b18335986f43eaac\"",
"ContentType": "text/plain",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84",
"BucketKeyEnabled": true
}
指定 custom bucket key 也會一樣結果。
aws s3 cp test.txt s3://dub-bucket-20201110/kms-encryption.txt --sse aws:kms --sse-kms-key-id 453aadee-bd33-4e8b-a5a6-e260771dff84
aws s3api head-object --bucket dub-bucket-20201110 --key kms-encryption.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-03-08T19:38:13+00:00",
"ContentLength": 4,
"ETag": "\"1622a6b1c7f2526428217b3e945c32b0\"",
"ContentType": "text/plain",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84",
"BucketKeyEnabled": true
}
使用 kms aws/s3 也會有 bucket key 。
aws s3 cp test.txt s3://dub-bucket-20201110/kmss3-encryption.txt --sse aws:kms --sse-kms-key-id 2a52dcea-d58d-4f48-9d6a-409673b8b838
aws s3api head-object --bucket dub-bucket-20201110 --key kmss3-encryption.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-03-08T19:43:45+00:00",
"ContentLength": 4,
"ETag": "\"80c15f200227592b882853936107e25a\"",
"ContentType": "text/plain",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/2a52dcea-d58d-4f48-9d6a-409673b8b838",
"BucketKeyEnabled": true
}
disable bucket key 之後。
aws s3 cp test.txt s3://dub-bucket-20201110/kms-encryption-without-bucket-key.txt --sse aws:kms --sse-kms-key-id 453aadee-bd33-4e8b-a5a6-e260771dff84
aws s3api head-object --bucket dub-bucket-20201110 --key kms-encryption-without-bucket-key.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-03-08T19:56:58+00:00",
"ContentLength": 4,
"ETag": "\"68ed90dab16b334128f7b9aee57f4ed7\"",
"ContentType": "text/plain",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84"
}
不改變 reqeust 定義的 encryption 。
Default bucket encryption also doesn't override the encryption settings specified in the upload of a new object. For example, if you specify AES256 encryption in your PutObject request to a bucket with default SSE-KMS encryption, then the object maintains AES256 encryption (SSE-S3).
https://repost.aws/knowledge-center/s3-aws-kms-default-encryption