SSE-KMS Encryption

This section describes how to connect an AWS S3 Bucket with SSE-KMS Encryption enabled. General instructions for configuring your AWS account to allow ICA to connect to an S3 bucket are found on this page.

Create an S3 bucket with SSE-KMS

Follow the AWS instructions for how to create S3 bucket with SSE-KMS key.

• Note: S3-SSE-KMS must be in the same region as your ICA v2.0 project. See the ICA S3 bucket documentation for more information.

In the "Default encryption" section, enable Server-side encryption and choose AWS Key Management Service key (SSE-KMS). Then select Choose your AWS KMS key.

• If you do not have an existing customer managed key, click Create a KMS key and follow these steps from AWS.

Once the bucket is set, the user is recommended also to create a folder that will be connected to ICA as a prefix. If the user makes a new folder in the bucket that will be linked in the ICA storage configuration, the encryption must be enabled in AWS console.

Connect the S3-SSE-KMS to ICA

Follow the general instructions for connecting an S3 bucket to ICA.

In the step "Create AWS IAM policy":

• Add permission to use KMS key by adding kms:Decrypt, kms:Encrypt, and kms:GenerateDataKey

• Add the ARN KMS key arn:aws:kms:xxx on the first "Resource"

• On Unversioned buckets, the permssions will match the following:

  Copy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "kms:Decrypt",
                  "kms:Encrypt",
                  "kms:GenerateDataKey",
                  "s3:PutBucketNotification",
                  "s3:ListBucket",
                  "s3:GetBucketNotification",
                  "s3:GetBucketLocation"
              ],
              "Resource": [
                  "arn:aws:kms:xxx",
                  "arn:aws:s3:::BUCKET_NAME"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:RestoreObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::BUCKET_NAME/*"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "sts:GetFederationToken"
              ],
              "Resource": [
                  "*"
              ]
          }
      ]
  }

• On Versioned OR Suspended buckets, the permssions will match the following:

  Copy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "kms:Decrypt",
                  "kms:Encrypt",
                  "kms:GenerateDataKey",
                  "s3:PutBucketNotification",
                  "s3:ListBucket",
                  "s3:GetBucketNotification",
                  "s3:GetBucketLocation",
                  "s3:ListBucketVersions",
                  "s3:GetBucketVersioning"
              ],
              "Resource": [
                  "arn:aws:kms:xxx",
                  "arn:aws:s3:::BUCKET_NAME"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:RestoreObject",
                  "s3:DeleteObject",
                  "s3:DeleteObjectVersion",
                  "s3:GetObjectVersion"
              ],
              "Resource": "arn:aws:s3:::BUCKET_NAME/*"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "sts:GetFederationToken"
              ],
              "Resource": [
                  "*"
              ]
          }
      ]
  }

At the end of the policy setting, there should be 3 permissions listed in the "Summary".

Create the S3-SSE-KMS configuration in ICA

Follow the general instructions for how to create a storage configuration in ICA.

On step 3 in process above, continue with the [Optional] Server Side Encryption to enter the algorithm and key name for server-side encryption processes.

• On "Algorithm", input aws:kms

• On "Key Name", input the ARN KMS key: arn:aws:kms:xxx

• "Key prefix" is optional, but recommended. "Key prefix" refers to the folder name in the bucket the user previously created above.

Additional set up for Cross Account Copy for S3 buckets with SSE-KMS encryption

In addition to following the instructions to Enable Cross Account Copy, the KMS policy must include the following statement for AWS S3 Bucket with SSE-KMS Encyption (refer to the Role ARN table from the linked page for the ASSUME_ROLE_ARN value):

    {
        "Sid": "Allow cross account access",
        "Effect": "Allow",
        "Principal": {
            "AWS": "ASSUME_ROLE_ARN"
        },
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
        ],
        "Resource": "*"
    }