Working with server-side encrypted Amazon S3 buckets
FSx for Lustre supports Amazon S3 buckets that use server-side encryption with S3-managed keys (SSE-S3), and with Amazon KMS keys stored in Amazon Key Management Service (SSE-KMS).
If you want Amazon FSx to encrypt data when writing to your S3 bucket, you need to set the default encryption on your S3 bucket to either SSE-S3 or SSE-KMS. For more information, see Configuring default encryption in the Amazon S3 User Guide. When writing files to your S3 bucket, Amazon FSx follows the default encryption policy of your S3 bucket.
By default, Amazon FSx supports S3 buckets encrypted using SSE-S3. If you want to link your Amazon FSx file system to an S3 bucket encrypted using SSE-KMS encryption, you need to add a statement to your customer managed key policy that allows Amazon FSx to encrypt and decrypt objects in your S3 bucket using your KMS key.
The following statement allows a specific Amazon FSx file system to encrypt and decrypt
objects for a specific S3 bucket, bucket_name
.
{ "Sid": "Allow access through S3 for the FSx SLR to use the KMS key on the objects in the given S3 bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
aws_account_id
:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fsx_file_system_id
" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "aws_account_id
", "kms:ViaService": "s3.bucket-region
.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket_name
/*" } } }
Note
If you're using a KMS with a CMK to encrypt your S3 bucket with S3 bucket keys
enabled, set the EncryptionContext
to the bucket ARN, not the object ARN,
as in this example:
"StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::
bucket_name
" }
The following policy statement allows all Amazon FSx file systems in your account to link to a specific S3 bucket.
{ "Sid": "Allow access through S3 for the FSx SLR to use the KMS key on the objects in the given S3 bucket", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "
aws_account_id
", "kms:ViaService": "s3.bucket-region
.amazonaws.com" }, "StringLike": { "aws:userid": "*:FSx", "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket_name
/*" } } }
Accessing server-side encrypted Amazon S3 buckets in a different Amazon Web Services account or from a Shared VPC
After you create an FSx for Lustre file system linked to an encrypted Amazon S3 bucket, you
must then grant the
AWSServiceRoleForFSxS3Access_
service-linked role (SLR) access to the KMS key used to encrypt the S3 bucket before
reading or writing data from the linked S3 bucket. You can use an IAM role which already
has permissions to the KMS key.fs-01234567890
Note
This IAM role must be in the account that the FSx for Lustre file system was created in (which is the same account as the S3 SLR), not the account that the KMS key/S3 bucket belong to.
You use the IAM role to call the following Amazon KMS API to create a grant for the S3 SLR so that the SLR gains permission to the S3 objects. In order to find the ARN associated with your SLR, search your IAM roles using your file system ID as the search string.
$
aws kms create-grant --regionfs_account_region
\ --key-id arn:aws:kms:s3_bucket_account_region
:s3_bucket_account
:key/key_id
\ --grantee-principal arn:aws:iam::fs_account_id
:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_file-system-id
\ --operations "Decrypt" "Encrypt" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "CreateGrant" "DescribeKey" "ReEncryptFrom" "ReEncryptTo"
For more information about service-linked roles, see Using service-linked roles for Amazon FSx.