Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CloudFront to serve encrypted content from S3 #713

Merged
merged 3 commits into from
Oct 6, 2023
Merged

Allow CloudFront to serve encrypted content from S3 #713

merged 3 commits into from
Oct 6, 2023

Conversation

ab77
Copy link
Contributor

@ab77 ab77 commented Oct 3, 2023

(Override all values in parentheses)

(Run yamllint folder/template.yaml, cfn-lint -i E1019 E3002 E2520 -t folder/template.yaml, and aws cloudformation validate-template --template-body file://folder/template.yaml before you open a PR)

(Do not include multiple changes in one PR. Open additional PRs instead.)

Allow CloudFront to service encrypted content from S3 origins. See, https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/

@michaelwittig
Copy link
Contributor

Hi @ab77

The statement in the mentioned blog post looks different:

- Sid: Allow access through S3 for all principals in the account that are authorized to use S3
            Effect: Allow
            Principal: 
              AWS: "*"
            Action:
            - kms:Encrypt
            - kms:Decrypt
            - kms:ReEncrypt*
            - kms:GenerateDataKey*
            - kms:DescribeKey
            Resource: '*'
            Condition:
              StringEquals:
                kms:CallerAccount: !Ref 'AWS::AccountId'
                kms:ViaService: !Join ['.', ['s3', !Ref 'AWS::Region', 'amazonaws.com']]

Can you explain the differecne?

I also wonder why the blog post/this PR grants kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey* that shouldn't be needed for reading a encrypted file.

@ab77
Copy link
Contributor Author

ab77 commented Oct 4, 2023

Hello, we've tested this config in a pre-production environment, with CF being able to serve encrypted content. Logically, the only permissions required, since CF is only doing decryption here, is kms:Decrypt (kms:GenerateDataKey* seems to relate to encryption only). I'll retest tomorrow with reduced permissions and report back..

@ab77
Copy link
Contributor Author

ab77 commented Oct 5, 2023
edited
Loading

I'll retest tomorrow with reduced permissions and report back..

Tested, OK. The only permission required from CF perspective is kms:Decrypt. Encryption permissions are set on whatever IAM actor is performing S3 upload operations (in our case, an IAM user).

@michaelwittig michaelwittig merged commit 355d921 into widdix:master Oct 6, 2023
1 check passed
@michaelwittig
Copy link
Contributor

Thanks @ab77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelwittig michaelwittig michaelwittig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ab77 @michaelwittig