How to upload a large file to Amazon S3 with encryption using an AWS KMS key?

Aug 16, 2023

How to upload a large file to Amazon S3 with encryption using an AWS KMS key?

Find more details in the AWS Knowledge Center: https://repost.aws/knowledge-center/s…
Rajitha, an AWS Cloud Support Engineer, shows you how to upload a large file to Amazon S3 with encryption using an AWS KMS key.

Content

3.57 -> [Music]

8.799 -> hello I'm Raja a cloud Support Engineer

12.02 -> here at the AWS office in Bangalore

15.23 -> India today I'm going to show you what

18.17 -> you can do if you upload fails when

20.18 -> trying to upload a large file to Amazon

22.88 -> s3 with an encryption key that's using

25.85 -> the AWS came as key let's get started if

30.17 -> you want to upload objects larger than

32.899 -> five gigabytes the objects must be

35.749 -> uploaded in France the AWS CLI SDK and

39.739 -> AWS management console can automate some

42.949 -> of this for you and break up the object

45.53 -> into individual parts when all the parts

48.71 -> are uploaded successfully all these

51.199 -> uploaded parts must be assembled to

53.749 -> complete the multi-part upload operation

56.17 -> because the uploaded parts are suicide

59.629 -> encrypted using a kms key each part must

63.019 -> be decrypted before they can be

64.82 -> assembled this is the reason why the

67.7 -> requester needs Camus decrypt

69.89 -> permissions for s3 multi-part upload API

72.98 -> requests using the server-side

74.96 -> encryption with chemists or sse camus

78.5 -> now let's walk through how the cameras

81.74 -> encrypt and decrypt permissions affect

84.05 -> uploading objects to Amazon s3 I have

87.47 -> already logged in to the AWS management

89.6 -> console I'm going to use an iamb user

93.11 -> named test in this demonstration let's

95.71 -> review what the claim is he palsy looks

98.78 -> like for this I'm user by visiting the

101.48 -> kms dashboard I'll navigate to the Camus

104.54 -> dashboard and go to customer manage keys

108.76 -> from my chemists key that's associated

111.8 -> with my s3 bucket to which I'm uploading

114.83 -> the objects in the key policy search for

119.87 -> the statement where the Amazon resource

122.24 -> name of your I am user is listed as an

125.45 -> AWS principle I used I am user test for

129.44 -> this purpose check the list of actions

132.38 -> allowed by this statement associated

135.41 -> with your I'm he

136.52 -> or roll it looks like the I'm user has

140.57 -> necessary cameras generate data keep

142.79 -> emissions which are sufficient if you're

145.22 -> uploading objects that are smaller than

147.5 -> eight megabytes as of now the I'm user

150.56 -> doesn't have cameras decrypt for

153.23 -> multi-part uploads to work though

157.07 -> identity based permissions associated

159.08 -> with this I'm user includes s3 full

162.56 -> access we can review the ion permissions

165.83 -> from the I am dashboard users test

169.04 -> permissions you can restrict these

171.56 -> permissions based on your use case I'm

174.62 -> going to use the AWC light to upload

177.26 -> objects to my s3 bucket Amazon test bug

180.23 -> I have configured a profile for my I am

183.29 -> user test with the access key and secret

186.08 -> access key to use the AWS CLI and

190.22 -> configure profile for I'm users refer to

193.85 -> the documentation link to this video I

196.3 -> have two files small file dot txt and

200.18 -> large file dot txt which are 672

202.97 -> kilobytes and 100 megabytes respectively

205.73 -> we can further confirm size of the files

208.25 -> by using LS - LH

213.43 -> I'll first upload the small file dot txt

217.22 -> to my s3 bucket let's list the s3 bucket

223.97 -> to confirm that now

227.33 -> let's follow the same process to upload

229.37 -> the large file dot txt which is hundred

232.55 -> megabytes

240.7 -> you

244.91 -> that I'm user performing the applaud

247.73 -> doesn't have the necessary came as

250.04 -> decrypt permissions Amazon s3 fails to

253.1 -> decrypt and read data from the encrypted

255.71 -> file parts before it completes the

258.5 -> multi-part upload now I'm back on the

261.26 -> AWS management console we can verify the

264.32 -> reason for access denied exception from

266.99 -> cloud trail as well let's go to Amazon

269.66 -> Cloud trail console event history

272.45 -> I will filter the events by username

277.09 -> equal to test

280.19 -> we see multiple generate data key calls

283.1 -> which are used to encrypt the objects

285.41 -> that are uploaded to s3 we can see many

290 -> kms decrypt API calls as well we can see

293.33 -> the access denied exception associated

296.06 -> with the decrypt API action let's view

304.52 -> the entire cloud trail event from the

308.63 -> event we see the principal is our I am

311.48 -> user tests and the invoked by field is

314.93 -> AWS internal this information appears

320.54 -> when an AW service is performing an API

323.63 -> call on behalf of the I'm user in our

327.17 -> case s3 is the aw service performing the

330.41 -> decrypt API call to camus endpoint kms

334.16 -> dot amazon AWS comm on behalf of the I

337.82 -> am user because the I'm user does not

341.93 -> have the required came as decrypt

344.03 -> permissions this fails so let's fix the

349.76 -> permissions of the I'm user going back

352.91 -> to the kms console customer manage keys

356.27 -> and the key policy and edit the key

361.73 -> permissions I'll now add camus decrypt

365.81 -> permissions to my I am user

376.08 -> let's retry it uploading the large file

379.449 -> I'm back to the AWS CLI since the

383.199 -> session timed out I am logging back in

385.509 -> now let's retry uploading the large file

392.069 -> when you run the command you can see the

394.659 -> status of the upload after the upload

397.27 -> successfully completes with the

399.22 -> necessary permissions to further conform

403.33 -> I'll list the objects of my s3 bucket

410.12 -> now I'm back on the I'm console if

414.11 -> you're I'm user and the game is key

416.66 -> belonged to the same AWS account then

419.479 -> using kms decrypt permissions on the key

422.449 -> policy is good enough but if you're I'm

425.72 -> user or role belongs to a different

427.79 -> account than the key then you must have

431.03 -> permissions to use kima's decrypt on

434.06 -> both the key palsy and your ion

436.669 -> permissions you can review the identity

440.27 -> based permissions associated to the I'm

442.52 -> user or role from the I am dashboard I

445.19 -> will go to the users and go to my user

448.94 -> test

453.48 -> an example I am identity based policy

456.54 -> for cross account looks like this the

460.08 -> policy has the necessary camus

462.15 -> permissions with the resource section

464.1 -> that specifies the cross account came as

466.68 -> key on thanks for watching and happy

469.74 -> cloud computing from all of us here at

472.08 -> AWS

473.52 -> [Music]

Source: https://www.youtube.com/watch?v=coDX7NV3ILM