Skip to content

Configure S3 Encryption

Perform the following steps to configure S3 encryption.

  1. To support S3 encrypted using AWS KMS, include the following property in the vars.dataserver.aws.yml file:
    YAML
    1
2
3
4
5
6
    DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "aws_account1"
  PROFILE_PROPERTIES:
    - S3_ENCRYPTION_ENABLE: "true"
    - S3_ENCRYPTION_BUCKET_DATA:
        - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
  2. There are three parts to the S3_ENCRYPTION_BUCKET_DATA property:
    1. S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
    2. S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
    3. S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
      • For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.
  3. To enable Encryption for Multiple S3 Buckets:
    • Use the S3_ENCRYPTION_BUCKET_DATA property to specify encryption details for multiple S3 buckets. The list format is as follows:
      YAML
      1
2
3
      S3_ENCRYPTION_BUCKET_DATA:
  - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
  - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
    • Examples :
      YAML
      1
2
3
4
      S3_ENCRYPTION_BUCKET_DATA:
  - "bucket1|SSE-KMS|"
  - "bucket2|SSE-KMS|arn:aws:kms:<region>:<account-id>:key/<key-id>"
  - "bucketA,bucketB*|SSE-KMS|"
  4. Once the properties are configured, refer to the Privacera Manager Quickstart.
  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Connected Applications screen, select S3.
  3. Click the edit icon next to the Account Name, then go to Access Management -> ADVANCED tab.
  4. Add the following property with the appropriate value for <your_profile_name>, <your_s3_bucket_name>, <sse_type>, and <sse_key>:
    Properties
    1
2
3
4
    dataserver.aws.<your_profile_name>.s3.encryption.enable=true
dataserver.aws.<your_profile_name>.s3.encryption.bucketname=<your_s3_bucket_name>
dataserver.aws.<your_profile_name>.s3.encryption.ssetype=<sse_type>
dataserver.aws.<your_profile_name>.s3.encryption.ssekey=<sse_key>
    1. S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
    2. S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
    3. S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
      • For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.
  5. Click the Test Connection button to verify the connection.
  6. Once the connection is successful, click Save.

To Support S3 Encryption Using AWS KMS

Overview

When accessing SSE-KMS–encrypted S3 buckets, Privacera DataServer requires the following AWS permissions:

  • Standard S3 permissions for object operations (read, write, delete)
  • AWS KMS permissions for data encryption and decryption
  • Optional permission: s3:GetEncryptionConfiguration
    (Required to retrieve and validate the bucket encryption configuration)

These permissions ensure secure access to encrypted S3 data while complying with AWS and Privacera security requirements.

Encryption Types Covered

The following S3 encryption configurations are supported:

Bucket Type KMS Key Type
SSE-KMS AWS-managed key (aws/s3)
SSE-KMS with CMK Customer-managed key

Steps

Follow the steps below to enable AWS KMS–based server-side encryption (SSE-KMS) for S3 buckets accessed by Privacera DataServer

1. Update IAM Policy – Granting S3 and KMS Access

Update the IAM policy configured in the DataServer profile to allow:

  • Standard S3 read/write/delete operations
  • Access to bucket encryption configuration
  • Required AWS KMS permissions so Amazon S3 can encrypt and decrypt objects using aws:kms

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3BucketAndObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetObjectVersion",
        "s3:DeleteObjectVersion",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    },
    {
      "Sid": "S3BucketEncryptionAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetEncryptionConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "your-region"
        }
      }
    },
    {
      "Sid": "KMSAccess",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:DescribeKey"
      ],
      "Resource": [
        "arn:aws:kms:region:account-id:key/key-id"
      ]
    }
  ]
}
Replace:

  • your-bucket-name → Your S3 bucket name(s)
  • your-region → AWS region (for example, us-east-1)
  • account-id → Your AWS account ID
  • key-id → Your AWS KMS key ID

Note

The permission s3:GetEncryptionConfiguration is required to avoid AccessDenied errors when accessing SSE-KMS–enabled buckets.

2. Update KMS Key Policy (Required for CMK)

When using SSE-KMS with a customer-managed key (CMK), the KMS key policy must explicitly allow the Privacera DataServer IAM role.

Add the following statement to the KMS key policy:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
{
  "Sid": "AllowDataServerRole",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::account-id:role/your-dataserver-role-name"
  },
  "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey",
    "kms:GenerateDataKeyWithoutPlaintext",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Replace:

  • account-id → Your AWS account ID (for example, 123456789)
  • your-dataserver-role-name → Your DataServer IAM role name

Important

IAM permissions alone are not sufficient for CMK access. Without this key policy, S3 operations will fail with AccessDenied errors.

3. S3 Bucket Policy

S3 bucket policies are used to enforce SSE-KMS encryption for all objects uploaded to an S3 bucket.
These policies ensure that objects are not uploaded without encryption or with an incorrect encryption configuration.

SSE-KMS Buckets (AWS-Managed Key)

Use this policy when the S3 bucket is configured to use the AWS-managed KMS key (aws/s3).

This policy:

  • Denies object uploads if SSE-KMS is not used
  • Denies uploads when the encryption header is missing
JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

SSE-KMS with Customer-Managed Key (CMK)

When using a customer-managed AWS KMS key (CMK), enforce the use of a specific KMS key ARN by applying the following S3 bucket policy.

This policy provides the following enforcement:

  • Enforces SSE-KMS encryption for all object uploads
  • Restricts uploads to a specific customer-managed KMS key
  • Prevents unencrypted object uploads
JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "RequireSpecificKMSKey",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id":
            "arn:aws:kms:region:account-id:key/key-id"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

Replace

  • your-bucket-name → Your S3 bucket name
  • arn:aws:kms:region:account-id:key/key-id → Full AWS KMS key ARN

Note

When configuring policies, always use the KMS Key ARN, not the Key Material ID.