I can not create a SES rule to put emails into a S3 bucket that has encryption enabled (on the bucket).
- Created a bucket and enabled encryption.
- Add a SESPut bucket policy to allow SES. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html
- Configure SES S3 Rule to put email into said bucket, but during save I get error: "Could not write to bucket"
- Change bucket, remove encryption
- SES rule save now succeeds.
This could just be that another policy is needed somewhere, or is there something I'm missing about AWS encryption which explains why the above steps failed and why SES has client-side encryption as an option?
Update
I've added a policy (thanks @shonkylinuxuser) to the KMS key that is configured under the bucket's encryption properties (as per AWS doc):
{
"Sid": "Allow SES to encrypt messages using this master key",
"Effect": "Allow",
"Principal": {"Service": "ses.amazonaws.com"},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"Null": {
"kms:EncryptionContext:aws:ses:rule-name": false,
"kms:EncryptionContext:aws:ses:message-id": false
},
"StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "1234567890"}
}
}
EXCEPT: The policy still causes the same error when saving the SES rule. However, if I remove all the "Condition"s, then I can save it successfully?
—
Best Answer
Really late response but just ran into the same issue. I was able to get SSE-KMS working with an update to the KMS key policy to allow S3 access to KMS.
When you use SSE KMS its actually S3 that is accessing the KMS key on behalf of the principal that is performing the put action to the S3 bucket. So this policy allows for S3 to access the KMS key when SES is trying to use the key with S3.