Focus:
- Intro,
- Core Encryption Options,
- Replicating Encrypted Objects,
- Key Requirements for Replication,
- Architecture,
- Key concepts (quick refresher),
- High-level behaviors to consider,
- Typical KMS permissions needed for SSE-KMS replication,
- Cross-account replication (common pitfalls),
- Practical minimal KMS key policy patterns (templates),
- Sample Destination KMS key policy that allows replication to encrypt using destination key,
- Sample Source KMS key policy that allow S3 service (with replication role) to decrypt & generate data keys,
- What IAM role for replication typically needs,
- Sample Poliy with minimal permissions (JSON policy-style),
- Special cases & gotchas,
- Observability & troubleshooting tips,
- Security & compliance recommendations (best practices),
- Sample of common real-world setups,
- Quick checklist before enabling replication with encryption,
- Sample of minimal KMS grant approach (concept),
- Final Recommendations (practical).
Intro:
- Amazon S3 replication and encryption work together to ensure data is protected both at rest and during transfer between buckets, whether in the same or different AWS Regions.
Core Encryption Options
Amazon S3 provides several server-side encryption (SSE) methods to protect data at rest:
- SSE-S3 (Amazon S3-Managed Keys): Since January 2023, S3 automatically applies SSE-S3 as the base level of encryption for all new objects at no additional cost.
- SSE-KMS (AWS Key Management Service Keys): Provides more control over keys, including separate permissions for key use and an audit trail through AWS CloudTrail.
- SSE-C (Customer-Provided Keys): twtech manage the encryption keys, and S3 handles the encryption and decryption during upload and download.
Replicating Encrypted Objects
Replicating objects that are already encrypted requires specific configurations:
- Objects Encrypted with SSE-S3:
- These are replicated by default when replication is enabled.
- Objects Encrypted with SSE-KMS:
- twtech must explicitly enable encryption in its Replication configuration.
- twtech also need to specify a destination KMS key (in the destination Region) to re-encrypt the replicas.
- Objects Encrypted with SSE-C:
- S3 now supports the replication of SSE-C objects.
- However, twtech must provide the same encryption key used for the source object to retrieve it for replication at destination region.
Key Requirements for Replication
To successfully replicate encrypted data, ensure the following are in place:
- Versioning:
- Must be enabled on both the source and destination buckets.
- IAM Role:
- The IAM role used for replication needs permissions to s3:GetReplicationConfiguration and s3:GetObjectVersion on the source, and s3:ReplicateObject on the destination.
- KMS Permissions:
- If using SSE-KMS, the IAM role must have kms:Decrypt permissions for the source key and kms:Encrypt permissions for the destination key.
- Cross-Account Access:
- If replicating to a bucket in a different account, the destination account's bucket policy must grant the source account's replication role permission to replicate objects.
Architecture
1) Key concepts (quick refresher)
- SSE-S3:
- Amazon manages keys. Objects encrypted server-side with S3-managed keys.
- SSE-S3 is Transparent to users and replication.
- SSE-KMS:
- Server-side encryption using AWS KMS Customer Master Keys (CMKs or KMS keys).
- SSE-KMS gives twtech control and auditability.
- SSE-C:
- Server-side encryption using customer-provided keys (AWS never stores the key).
- SSE-C is Not suitable for automatic replication because AWS does not have access to twtech key to re-encrypt at destination.
- Client-side encryption (CSE):
- twtech encrypts before uploading.
- S3 just stores ciphertext.
- Replication will copy ciphertext but S3 cannot inspect & transform it.
- Cross-Region Replication (CRR) vs Same-Region Replication (SRR).
- Their behavior & permission requirements are similar, but CRR commonly spans different AWS accounts and regions.
- Therefore, KMS configuration and IAM require extra attention.
2) High-level behaviors to consider
- SSE-S3 encrypted objects replicate easily.
- Because AWS controls keys, replication just copies data + metadata to the destination bucket.
- SSE-KMS adds complexity.
- Replication of SSE-KMS objects works, but the replication IAM role and KMS key policies must explicitly allow the replication operations (encrypt/decrypt/generate-data-key, as needed) across source and destination accounts/keys.
- SSE-C objects generally cannot be automatically replicated by S3.
- Because AWS never holds the client-provided encryption key needed to decrypt/re-encrypt.
- Therefore, If twtech needs replication, it must handle decrypt/re-encrypt client-side or switch to SSE-KMS/SSE-S3.
- Client-side encrypted objects replicate as-is (ciphertext).
- If twtech wants readable object at destination, it must decrypt and re-encrypt before/after replication (handled outside S3).
- Versioning is required for replication.
- twtech must remember to enable versioning on both source and destination buckets.
3) Typical KMS permissions needed for SSE-KMS
replication
- When objects are encrypted with a KMS key, replication requires the ability to re-encrypt (or encrypt) the data at the destination and potentially decrypt/reencrypt at the source (AWS performs server-side operations).
- The replication role (the IAM role S3 uses for replication) normally needs a set of KMS actions.
- A conservative set to consider (replace placeholders) is:
kms:Decryptkms:Encryptkms:ReEncrypt*(includes ReEncryptFrom and ReEncryptTo)kms:GenerateDataKey*kms:DescribeKey
NB:
- If source and destination are in different AWS
accounts, both KMS key policies (source key and destination key) must permit
the replication role (or the S3 service principal with the
SourceAccount/SourceArnconditions) to use the key. - Use least-privilege: grant only the required actions and scope them to the replication role ARN + S3 service principal where appropriate.
- Consider using KMS grants for temporary, fine-grained permissions rather than broad key policy edits when automation or frequent role changes occur.
4) Cross-account replication (common
pitfalls)
- Key policy must explicitly allow principals from the other account (the replication role or S3 service principal) to use the key.
- Common mistakes:
- Forgetting
to allow
kms:Encrypton the destination key for the replication principal. - Using
aws:PrincipalArnconditions incorrectly... ensure the key policy references the replication role ARN or the S3 replication principal. - Include
aws:SourceAccountand/oraws:SourceArnconditions in twtech KMS key policy to avoid giving overly-broad access while enabling replication from a particular bucket. - If source objects are SSE-KMS with a source-account key and destination must also be SSE-KMS with its own key, twtech needs both keys to allow the replication role (or S3 service) to perform re-encryption operations.
5) Practical minimal KMS key policy patterns
(templates)
- Below are two concise patterns twtech can adapt.
- twtech must Replace
SOURCE_ACCOUNT,DEST_ACCOUNT,REPLICATION_ROLE_ARN,SOURCE_BUCKET_ARN,DEST_BUCKET_ARN, andKMS_KEY_ARNwith twtech values.
A. Sample Destination
KMS key policy that allows replication to encrypt using destination key
# json{ "Version":"2012-10-17", "Statement":[ { "Sid":"twtech Allow replication role to use key for encryption", "Effect":"Allow", "Principal":{"AWS":"arn:aws:iam::twtech_DEST_ACCOUNT_ID:role/twtech-replication-role"}, "Action":[ "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*", "kms:DescribeKey" ], "Resource":"*", "Condition": { "StringEquals": { "aws:SourceAccount": "twtech_SOURCE_ACCOUNT_ID" }, "ArnLike": { "aws:SourceArn": "arn:aws:s3:::twtech_SOURCE_S3BUCKET_NAME/*" } } } ]}
B. Sample Source
KMS key policy that allow S3 service (with replication role) to decrypt & generate
data keys
# json{ "Version":"2012-10-17", "Statement":[ { "Sid":"twtech Allow S3 replication to use source key", "Effect":"Allow", "Principal":{"Service":"s3.amazonaws.com"}, "Action":[ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource":"*", "Condition":{ "ArnLike":{"aws:SourceArn":"arn:aws:s3:::twtech_SOURCE_BUCKET_NAME/*"}, "StringEquals":{"aws:SourceAccount":"twtech_SOURCE_ACCOUNT_ID"} } }, { "Sid":"twtech Allow replication role to use source key", "Effect":"Allow", "Principal":{"AWS":"REPLICATION_ROLE_ARN"}, "Action":[ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource":"*" } ]}
NB:
- Key policies are sensitive.
- Key policies should be tested in a staging account.
- Use
kms:ViaServiceandaws:SourceArnconditions to limit scope (what can be done) where possible.
6) what IAM role for replication typically needs
- S3 replication uses an IAM role (replication
role) with a trust relationship for
s3.amazonaws.com. - Permissions typically include (on the source bucket):
s3:GetObjectVersions3:GetObjectVersionAcls3:GetObjectVersionTagging- Permissions typically include (on destination bucket)
s3:ReplicateObjects3:ReplicateDeletes3:ReplicateTagss3:PutObjectAcl- If using KMS:(The role may require:the following permissions):
kms:Decryptkms:Encryptkms:ReEncrypt*kms:GenerateDataKey*
- The KMS often use is control in the KMS key policy, to ensure role ARN is allowed or Denied.
# Sample Poliy with minimal permissions (JSON
policy-style):
# json{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource":"arn:aws:s3:::twtech_SOURCE_BUCKET_NAME/*" }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource":"arn:aws:s3:::twtech_Dest_S3BUCKET_NAME/*" } ]}
NB:
- twtech needs to Pair this with matching KMS key policy entries.
7) Special cases & gotchas
- SSE-C:
- Because AWS never stores the client key, automatic replication is effectively blocked. If twtech needs replication.
- it should switch to SSE-KMS or do client-side re-encrypt during ingestion.
- S3 Bucket Keys (S3-KMS):
- If twtech enables S3 Bucket Keys, encryption can be cheaper (fewer KMS calls).
- But replication behavior with bucket keys should be tested — destination bucket’s key usage and policy still matter.
- Object lock / Retention:
- When replicating objects under retention or legal hold, ensure the destination supports the same retention settings and the replication configuration is set to replicate object lock settings.
- Delete markers:
- Replication of delete markers is configurable — be explicit if twtech wants deletes replicated.
- IAM role vs. Service principal:
- Depending on exact configuration, the KMS
policy needs to allow either the replication role ARN or the
s3.amazonaws.comservice principal (often both). - Encryption context:
- KMS encryption context may be used for extra validation.
- If present, ensure replication operations are compatible (i.e., the context is not causing decryption failures).
- Replication metrics/logs:
- Replication failures due to KMS permission errors often
show up in S3 replication metrics and CloudTrail (KMS
AccessDeniedevents). Be prepared to correlate logs.
8) Observability & troubleshooting tips
- CloudTrail:
- good source for KMS
AccessDenied/Decryptfailures or denied S3 replication API calls. - S3 Replication Metrics & Notifications:
- enable metrics and replication time control if twteh wants Service Level Agreement (SLA)-like guarantees. Watch replication failures, and configure an SNS alarm if failures spike.
- KMS CloudWatch Logs (via AWS CloudTrail):
- Track which principal attempted which KMS action; useful in cross-account setups to find missing permissions.
- Test with small objects first:
- Validate encryption, ACLs, tagging and metadata replication, and key policies before bulk replication.
- Check object-level metadata:
- Replication will preserve certain metadata (tags, ACL if configured)
- Verify that twtech replication rule covers these.
9) Security & compliance recommendations
(best practices)
1. Prefer SSE-KMS
over SSE-C for enterprise replication: Gives control, audit logs, and
cross-account capabilities.
2. Use distinct
CMKs for different security domains (e.g., separate keys per account
or workload) and grant the replication principal controlled access.
3. Lock down KMS
key policies with aws:SourceAccount, aws:SourceArn
and kms:ViaService
where appropriate instead of broadly allowing principals.
4. Use least
privilege for the replication IAM role; scope to bucket ARNs and
required KMS actions.
5. Document
ownership: Name and tag keys & IAM roles to indicate “used for
replication between X→Y”.
6. Test rotation: Ensure key rotation of CMKs won’t break replication workflows.
7. Consider using
multi-region keys or separate destination keys according to twtech threat model (e.g., if destination account must have independent key control).
8. Plan for
recovery: Ensure keys remain available when twtech needs to access
historic versions; losing a CMK = losing ability to decrypt objects encrypted
with it.
10) Sample of common real-world setups
- Same-account, same-KMS key: easiest. Ensure replication role can use the key. Minimal policy churn.
- Cross-account, destination uses destination-account key: more secure (destination can control access); requires destination key policy to explicitly permit source-account replication principal and source KMS key to be used for re-encryption if required.
- Cross-account, source and destination both using SSE-KMS with different keys: need both key policies to allow the replication principal to perform required KMS operations.
- Often the replication role belongs to the source account and is granted permission on the destination key or vice versa depending on architecture.
11) Quick checklist before enabling
replication with encryption
- Versioning enabled on source and destination buckets.
- Replication role
created and trust relationship set to
s3.amazonaws.com. - IAM policy for replication role includes required S3 actions on source + destination.
- KMS key policy (source) allows replication role / S3 to use key for decrypt/generateDataKey.
- KMS key policy (destination) allows replication role / S3 to use key for encrypt/generateDataKey.
- If
cross-account is used: constrain policies with
aws:SourceAccountandaws:SourceArn. - Test with a single object; verify object is present, encryption at rest is as expected, and metadata/tags replicated if desired.
- Enable monitoring/alerts for replication failures.
12) Sample of minimal KMS grant approach
(concept)
- Instead of modifying the key policy permanently, twtech can use a KMS grant to allow the replication role temporary access to the key with precise operations.
- Grants are programmatic and can be rotated/revoked more easily.
- Grants are useful if twtech automates bucket creation and replication setup.
13) Final Recommendations (practical)
- For most organizations requiring controlled cross-account replication, SSE-KMS with separate keys (one per account or purpose) + carefully-scoped key policy + replication role is the best mix of security and manageability.
- Avoid SSE-C if twtech expects automatic S3 replication.
- Keep auditing and alerts in place: Replication permission issues are common on first setup; good logging makes resolution straightforward.
- Test retention, versioning, and delete marker settings explicitly; replication can replicate delete markers and versioned deletes depending on configuration.
No comments:
Post a Comment