The S3 bucket with its corresponding files is well protected under Bucket Policies and IAM policies. Currently, the role we have set in the working instance, has read and write access to the S3 bucket. However, for some reason, other instances or users may need read access to the bucket. It might be desirable that we encrypt the files with the CMK we have created importing our key material, to add protection for our files in bucket.
We need to use the appropriate API to upload the files using Server Side Encryption “(SSE)” with AWS KMS and the CMK we created. The API as stated in the Amazon S3 documentation, has this structure:
s3.put_object(Bucket=BUCKET,
Key='encrypt-key',
Body=b'foobar',
ServerSideEncryption='aws:kms',
# Optional: SSEKMSKeyId
SSEKMSKeyId=keyid)
We could very easily modify the code in our App to include the Server Side Encryption (SSE). However, it is more clear if we download a version of the WebApp with the changes already implemented in the code, and hence that provides Server Side Encryption using one of our CMKs.\
sudo wget https://raw.githubusercontent.com/aws-samples/aws-kms-workshop/master/WebAppEncSSE.py
aws kms list-aliases
sudo python WebAppEncSSE.py 80
From the file browser Web App, you can download and display the file we have upload and encrypted. Remember that when using Server Side Encryption with KMS, you don´t need to provide any additional information for getting the object; S3 is able to know how to decrypt the object from the metadata.