I followed the KMS part 1 lesson… john.adams has the appropriate S3 permissions as stated in the lecture… as well as ReadOnly for everything. I am working on the payslip part… and I am running into issues under john.adams’s account.
As admin.. I Can perform the steps without issue. However, something is missing in relation to John.Adams. I have a feeling it’s something with not having permissions with SSE-S3.
If I try to change the encryption for payslip from KMS to SSE-S3… I get:
You need s3:CopyObject permissions to perform this action. Learn more about Identity and Access Management in Amazon S3"
However… I am able to change the encryption of the entire bucket to SSE-S3 under john.adams… but not the object itself.
A little stumped here. Did anyone else get beyond this recently? I appreciate your help.
In Case anyone runs into this issue again… I figured it out. Somehow john.adams was added as the key administrator, BUT was not added as a key user. I thought I verified and reverified this, but it looks like I missed it. Everything now works. If you do not have john.adams as a key user, you will hit the error wall hard. You CAN change the bucket level encryption, but not the object level encryption… which is interesting. Example – IF you change the bucket level encryption from KMS to SSE-S3 (while john.adams is not added as a kms user on the key) and then upload a file, it will have SSE-S3 encryption set. Under this scenario, you cannot then change the object from SSE-S3 to KMS either. Setting the user as a key user is required to make the object level encryption changes.