AWS AmazonS3 medium security documentation change
Summary
Added detailed instructions and KMS policy example for SSE-KMS encrypted logging buckets
Security assessment
Addresses potential security misconfiguration where inaccessible logs could impair security monitoring. Explicitly resolves the security risk of undeliverable/unreadable audit logs by providing required kms:GenerateDataKey and kms:Decrypt permissions.
Diff
diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md index e5c0fdc8c..196f6b2b7 100644 --- a//AmazonS3/latest/userguide/enable-server-access-logging.md +++ b//AmazonS3/latest/userguide/enable-server-access-logging.md @@ -40 +40,17 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket -Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. +If the destination bucket uses SSE-KMS default encryption, you must also grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. The following example shows the required AWS KMS key policy statement: + + + { + "Sid": "Allow S3 logging service to use the KMS key", + "Effect": "Allow", + "Principal": { + "Service": "logging.s3.amazonaws.com" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*" + } + +If you don't grant these permissions, Amazon S3 might deliver log objects that are encrypted with a key that you can't access, or log delivery might fail.