Enabling AWS KMS Encryption for Amazon S3 Cloud Storage

AWS Key Management Service (KMS) is an Amazon web service that uses customer master keys to encrypt objects in Amazon S3 cloud storage. You can configure S3 server-side encryption with KMS system-wide or on a user-by-user basis.

Prerequisites:

  • Aspera server version 3.6.1 or later.
  • Your server is located in the same region as your S3 bucket.
  • You have root access to your Aspera server, so that you can edit configurations and restart services.
  • You know which KMS Key to use (the default key or a specific one).
    Note: To use a specific KMS key, you must access your AWS console and create a key using the AWS IAM role console. For instructions on creating keys for KMS, see AWS Key Management Service Developer Guide: Creating Keys at https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html.
The following instructions describe how to configure S3 server-side encryption with KMS and verify that objects uploaded to your bucket are encrypted.

System-Wide Configuration

To enable system-wide S3 server-side encryption with KMS, configure the s3.properties file on the server.

  1. Log in to your Aspera server as root. 
    # ssh -i identity_file -p 33001 ec2-user@ec2_host_ip
#  su -
  2. Open the s3.properties file with a text editor.
    The file is located at /opt/aspera/etc/trapd/s3.properties.
  3. Configure the system to use S3 SSE with KMS using either the default Amazon key or a specific key you generated.
    • Using the default AWS KMS key: Locate the following line:
      #server-side-encryption=NONE

      Uncomment the line and set the value to AWS_KMS. For example:

      server-side-encryption=AWS_KMS
    • Specify a KMS key: Locate the following line:
      #server-side-encryption-aws-kms-key-id

      Uncomment the line and set the value to your key, using either the full arn of the AWS key or the ID. For example:

      server-side-encryption-aws-kms-key-id = arn:aws:kms:us-west-2:289669785124:key/9120a367-8204-4752-8b0f-1ca9d90j8ec3

      Setting a value for server-side-encryption-aws-kms-key-id automatically sets server-side-encryption=AWS_KMS.

  4. Save and exit the configuration file.
  5. Restart the Aspera Trapd service to activate your changes. 
    # systemctl asperatrapd restart

Individual Docroot Configuration

To enable S3 server-side encryption with KMS for specific users, append ?server-side-encryption=AWS_KMS to the S3 docroot of the transfer users. You can do this in IBM Aspera Console or using the asconfigurator tool. The examples below use asconfigurator.

  1. Log in to your Aspera server as root. 
    # ssh -i identity_file -p 33001 ec2-user@ec2_host_ip
#  su -
  2. Configure the docroot.
    Set the docroot by running the following command:
    # asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

    The docroot format depends on which KMS key you use:

    • Using the default AWS KMS key with IAM roles 
      s3://s3.amazonaws.com/my_bucket/?server-side-encryption=AWS_KMS

      For example, run the following command with the asconfigurator tool for a user with the username xfer:

      # asconfigurator -x "set_user_data;user_name,xfer;absolute,s3://s3.amazonaws.com/aspera_s3_bucket/aspera_bucket?server-side-encryption=AWS_KMS"

      If you are not using IAM roles, you must specify the access ID and secret key in your docroot, as described in Setting Docroots for Object Storage and HDFS.

    • Specifying a KMS key 
      s3://s3.amazonaws.com/my_bucket/?server-side-encryption-aws-kms-key-id=your_aws_kms_key_id

      For example, run the following command with the asconfigurator tool for a user with the username xfer:

      # asconfigurator -x "set_user_data;user_name,xfer;absolute,s3://s3.amazonaws.com/aspera_s3_bucket/aspera_bucket?server-side-encryption-aws-kms-key-id=9120a367-8204-4752-8b0f-1ca9d90j8ec3"

      If you are not using IAM roles, you must specify the access ID and secret key in your docroot, as described in Setting Docroots for Object Storage and HDFS.

Verify KMS Encryption

Verify that encryption has been correctly set up for the IAM role.
  1. Upload and download a package to the S3 bucket using an Aspera client.
  2. Log in to the AWS Console.
  3. View object properties.
    Go to the S3 service and find the object you just uploaded. Go to Properties > Details. The Server Side Encryption option shows one of the following encryption modes:
    • Default encryption (no KMS): AES-256
    • Using the Amazon default master key: Using AWS KMS master key: aws/s3 (default)
    • Using a specific master key: Using AWS KMS master key: my-s3-kms-key
    The encryption mode should match the key you used to configure KMS.