Attach a KMS-encrypted AWS bucket

Edit online

This article shows how to configure an AWS bucket with KMS encryption, and to attach that bucket as storage to your Aspera on Cloud organization.

Prerequisites

Edit online

Create the AWS bucket.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/s3api/create-bucket.html
- Syntax: # aws s3api create-bucket --bucket BUCKET_NAME --region AWS_REGION
Set S3 bucket public access to allow for cross-account access.
- Using AWS console: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-bucket.html
  Do not block cross-account access. Cross-account access allows you to access content in your AWS bucket through Aspera on Cloud. Configure the options as shown in the following screenshot:
Create a KMS key.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- Syntax: # aws kms create-key --tags TagKey=Purpose,TagValue=YOUR_DESCRIPTION --description YOUR_KEY_DESCRIPTION
Create a KMS alias.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
- Syntax: # aws kms create-alias --alias-name alias/YOUR_KEY_ALIAS_NAME --target-key-id TARGET_KEY_ID
- To obtain the key ID, use the following: # aws kms list-keys
Create IAM policy for S3 bucket access.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html
- Syntax: # aws iam create-policy --policy-name YOUR_S3_POLICY_NAME --policy-document file://s3.policy.json
- To obtain the key ID, use the following: # aws kms list-keys
- For an example of the s3.policy.json file, see "S3 Access Policy: Sample Configuration" below.
Create IAM policy for KMS alias access.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html
- Syntax: # aws iam create-policy --policy-name YOUR_KMS_POLICY_NAME --policy-document file://kms-alias.policy.json
- To obtain the key ID, use the following: # aws kms list-keys
- For an example of the kms-alias.policy.json file, see "KMS Alias Management: Sample Configuration" below.
Create the IAM role.
Note: You'll add the trust policy in a following step.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html
- Syntax: # aws iam create-role --role-name YOUR_ROLE_NAME
Attach the policies you created in steps 5 and 6 to the role you create in step 7.
- Using AWS command line: https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html
- Syntax: # aws iam attach-role-policy --role-name YOUR_ROLE_NAME --policy-arn YOUR_S3_POLICY_ARN --policy-arn YOUR_KMS_POLICY_ARN

Attaching your bucket to Aspera on Cloud

Edit online

Use the procedure in Attach an AWS S3 bucket.
Specify the S3 region for your bucket.
Set Server-side encryption to KMS.
Enter the ARN for the KMS key ID or KMS key alias, using the following format:
KMS key ID ARN format: arn:aws:kms:<region>:<account_number>:key/<encryption_key_id>

KMS key alias ARN format: arn:aws:kms:<region>:<account_number>:alias/<encryption_key_alias>

To obtain the key ID, use the following: # aws kms list-keys
Configure the trust policy by copying the policy that AoC generates into your AWS Trust relationship policy in the AWS console. Be sure you have set the region before copying the trust relationship policy.
Important: The trust relationship JSON updates with each page load.
- Before you copy the trust policy, be sure that you have correctly configured the region (step 2 above).
- After you copy the trust relationship, be sure to save the configuration or otherwise verify the page is not reloaded.
If the page reloads after you copy the trust relationship, there will be a mismatch between the trust relationship in AoC and the trust relationship in the AWS console.
Configure the IAM role ARN, the S3 bucket name, and the bucket path.

Note: If you see the error message, "Unable to create ATS access key and secret", see Trouble creating a new access key for a troubleshooting procedure.

Example bucket policy configuration

Edit online

Adjust the bucket policy if required to support actions as shown in the following sample syntax and example.

Sample bucket policy syntax

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464034295000",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AOC_ACCOUNT_ID:role/AOC_IAM_ROLE"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        },
        {            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AOC_ACCOUNT_ID:role/AOC_IAM_ROLE"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME"
        }
    ]
}

Example bucket policy configuration

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464034295000",
            "Effect": "Allow",
            "Principal": {
                "AWS":"arn:aws:iam::860559707280:role/atp-aws-us-east-1-ts-atc-node"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::aspera-kms/*"
        },

        {
            "Effect": "Allow",
            "Principal": {
                "AWS":"arn:aws:iam::860559707280:role/atp-aws-us-east-1-ts-atc-node"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::aspera-kms"
        }
    ]
}

S3 access policy: Sample configuration

Edit online

Sample S3 access policy syntax

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME"
      ]
    }
  ]
}

Example S3 access policy configuration

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::aspera-kms/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::aspera-kms"
      ]
    }
  ]
}

KMS alias management: Sample configuration

Edit online

Configure a policy that permits AoC to access your key management service.

Sample KMS alias management syntax

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",
      "Effect": "Allow",
      "Action": [
        "kms:EnableKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:ReEncryptTo",
        "kms:ReEncryptFrom"
      ],
      "Resource": [
        "arn:aws:kms:AWS_REGION:AWS_ACCOUNT_ID:key/KMS_KEY_ID"
      ]
    }
  ]
}

Sample KMS alias management configuration

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",
      "Effect": "Allow",
      "Action": [
        "kms:EnableKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:ReEncryptTo",
        "kms:ReEncryptFrom"
      ],
      "Resource": ["arn:aws:kms:us-east-1:239600258224:key/65a140e1-8c8f-4dd5-b2d7-d6cf05e15b46"
      ]
    }
  ]
}