S3 Storage Encryption with AWS cross-account KMS key

Prerequisites for S3 Storage Encryption with AWS cross-account KMS key

  • A Symmetric Customer Managed Key created on an AWS account which will hold the key for encryption. Let's say for example, this account is called, KMS Account.
  • Key Policy added to the above created key on KMS Account, which gives access to the other AWS account, let's say for example, this account is called, S3 Hosted Account.
  • IAM Policy added to the IAM user on S3 Hosted Account, which delegates access to the key from KMS Account.


Customer Managed Keys should NOT be deleted. If they are deleted, files that were encrypted using that key, will not be accessible and also cannot be recovered.


Configuring S3 Storage Encryption with AWS cross-account KMS key

A) The following steps can be used as reference in creating a key on KMS Account:

1) From AWS Console, navigate to KMS > Customer Managed Keys and click on "Create Key". Choose the default options as in below screenshot and click on 'Next'.

2) Provide an Alias or Name for the key and click on 'Next'.

3) Provide access to admin IAM users if needed or proceed with the defaults and click on 'Next'.

4) Provide access to IAM users if needed and under "Other AWS accounts", provide the Account ID of S3 Hosted Account and click on 'Next' and in the next page, click on 'Finish'. NOTE: This gives access to root user of the S3 Hosted Account.

NOTE: Make sure the key policy includes the following permissions.

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<KMS Account ID>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<S3 Hosted Account ID>:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

B) The following step is to be done on the S3 Hosted Account for delegating access to an IAM user for the key from KMS Account:

Add the following IAM policy to the IAM user that has access to the S3 bucket on S3 Hosted Account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CMK",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "<ARN for the KMS key from KMS Account>"
        }
    ]
}


C) Finally, Navigate to the FileCloud admin page, Settings > Storage > My Files > S3 Encryption, and click on "Manage". Choose the "Amazon KMS-Managed Key Encryption" option and provide the ARN for the KMS key from KMS Account, as in below screenshot. Then click on "Enable encryption".

Rotating AWS Customer Managed Keys

  1. In the navigation pane, choose Customer managed keys.

  2. Choose the alias or key ID of a CMK.

  3. Choose the Key rotation tab.

  4. Select the Automatically rotate this CMK every year check box. If a CMK is disabled or pending deletion, the Automatically rotate this CMK every year check box is cleared, and you cannot change it. The key rotation status is restored when you enable the CMK or cancel deletion.

  5. Choose Save.

When you enable automatic key rotation for a CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations.

However, automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key.

NOTE : Manual key rotation is not supported by FileCloud.

Enabling access logging for an S3 bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Bucket name list, choose the name of the bucket that you want to enable server access logging for.

                                 

  3. Choose Properties.

                                

  4. Choose Server access logging.

                                

  5. Choose Enable Logging. For Target, choose the name of the bucket that you want to receive the log record objects. The target bucket must be in the same Region as the source bucket. Also, it must be owned by the same AWS account and must not have a default retention period configuration.

                                

  6. (Optional) For Target prefix, type a key name prefix for log objects, so that all of the log object names begin with the same string.

  7. Choose Save.

    You can view the logs in the target bucket. If you specified a prefix, the prefix shows as a folder in the target bucket in the console. After you enable server access logging, it might take a few hours before the logs are delivered to the target bucket.