Access S3 buckets using SSE-KMS encryption in an EC2 IAM Role environment (AWS SDK for Java)

The other day, I participated in an event

** "By the way, I wrote an article to encrypt and upload to an S3 bucket, but I used an access key to authenticate!" ** (Not in line with security best practices)

I noticed that, so I decided to supplement it.

** Encrypting data uploaded to S3 using AWS SDK for Java / SSE-KMS ** is a continuation.

• The procedure is not difficult at all, but I forgot to assign the IAM Role to the key user of CMK, and I was worried for an hour. Even in that case, the HTTP response code returned is "403" (Access Denied), so it is indistinguishable from the case where S3 authentication / authorization simply does not pass.

1. Set up an IAM Role for EC2

· In IAM, click ** Create New Role **.

-Select ** "Amazon EC2" **.

-Check ** "Amazon S3 Full Access" ** and click ** [Next Step] **.

-Enter ** role name ** and click ** [Create Role] **.

-Select the ** encryption key ** used for S3 encryption.

-Click ** [Add] ** of ** Key User **.

-Select the ** IAM role you created ** and click ** [Attach] **.

-Assign the created IAM role to the ** target EC2 instance **.

-Enter / select the ** IAM role name ** and click ** Apply **.

-If the process is successful, start (start) the target EC2 instance and check that the IAM Role is applied.

2. Java code changes

For Java code, simply unspecify credentials.

change point

public class S3Access {

    private static final String ENDPOINT_URL = "https://s3-ap-northeast-1.amazonaws.com";
    private static final String REGION       = "ap-northeast-1";
//  private static final String ACCESS_KEY   = "【access key】";
//  private static final String SECRET_KEY   = "[Secret key]";
    private static final String KMS_KEY_ID   = "[KMS key ID]";

(Omission)

    //--------------------------------------------------
    //Client generation
    //--------------------------------------------------
    private AmazonS3 getClient(String bucketName) throws Exception {

//      //Authentication information
//      AWSCredentials credentials = new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY);

        //Client settings
        ClientConfiguration clientConfig = new ClientConfiguration();
        clientConfig.setProtocol(Protocol.HTTPS);  //protocol
        clientConfig.setConnectionTimeout(10000);   //Connection timeout(ms) 

        //Endpoint setting
        EndpointConfiguration endpointConfiguration = new EndpointConfiguration(ENDPOINT_URL, REGION);

        //Client generation
        AmazonS3 client = AmazonS3ClientBuilder.standard()
//                      .withCredentials(new AWSStaticCredentialsProvider(credentials))
                        .withClientConfiguration(clientConfig)
                        .withEndpointConfiguration(endpointConfiguration).build();

(Omission)

** Delete the line commented out with "//" at the beginning of the line **.

• The authentication information is not already described in the code, and ".aws" is directly under the environment variables and the home directory of the executing user (/ usr / share / tomcat8 / if tomcat8 is package-installed on Amazon Linux with yum). If you created the directory and used the access keys in the "credentials" file, you can delete them to use the IAM Role credentials / credentials.