AWS: SES Rule: S3 Action: fails when choosing bucket that has encryption enabled

amazon s3amazon-sesamazon-web-servicesencryption

I can not create a SES rule to put emails into a S3 bucket that has encryption enabled (on the bucket).

This could just be that another policy is needed somewhere, or is there something I'm missing about AWS encryption which explains why the above steps failed and why SES has client-side encryption as an option?

Update

I've added a policy (thanks @shonkylinuxuser) to the KMS key that is configured under the bucket's encryption properties (as per AWS doc):

{
  "Sid": "Allow SES to encrypt messages using this master key",
  "Effect": "Allow",
  "Principal": {"Service": "ses.amazonaws.com"},
  "Action": [
   "kms:Encrypt",
   "kms:GenerateDataKey*"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "kms:EncryptionContext:aws:ses:rule-name": false,
      "kms:EncryptionContext:aws:ses:message-id": false
    },
    "StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "1234567890"}
  }
}

EXCEPT: The policy still causes the same error when saving the SES rule. However, if I remove all the "Condition"s, then I can save it successfully?

Related: AWS SES Encryption vs S3 bucket encryption

Best Answer

Really late response but just ran into the same issue. I was able to get SSE-KMS working with an update to the KMS key policy to allow S3 access to KMS.

            {
              "Condition": {
                "StringEquals": {
                  "kms:ViaService": "s3.<your s3 bucket region>.amazonaws.com"
                },
                "StringLike": {
                  "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::<your S3 bucket name>/*"
                }
              },
              "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
              ],
              "Resource": "*",
              "Effect": "Allow",
              "Principal": {
                "Service": "ses.amazonaws.com"
              },
              "Sid": "SES Access to CMK for S3 SSE-KMS"
            }

When you use SSE KMS its actually S3 that is accessing the KMS key on behalf of the principal that is performing the put action to the S3 bucket. So this policy allows for S3 to access the KMS key when SES is trying to use the key with S3.

Related Topic