Does CloudFront support S3 signature version 4 for KMS encrypted objects?Should AWS CloudFront *increase*...
When two POV characters meet
validation vs test vs training accuracy, which one to compare for claiming overfit?
infinitive telling the purpose
Does Linux have system calls to access all the features of the file systems it supports?
Excess Zinc in garden soil
Why do Australian milk farmers need to protest supermarkets' milk price?
What Happens when Passenger Refuses to Fly Boeing 737 Max?
Does splitting a potentially monolithic application into several smaller ones help prevent bugs?
How to discourage/prevent PCs from using door choke-points?
What is the dot in “1.2.4."
Decoding assembly instructions in a Game Boy disassembler
What is the definition of "Natural Selection"?
Replacing Windows 7 security updates with anti-virus?
What has been your most complicated TikZ drawing?
What is the difference between "shut" and "close"?
Is all copper pipe pretty much the same?
Word for a person who has no opinion about whether god exists
When is a batch class instantiated when you schedule it?
Prove that the total distance is minimised (when travelling across the longest path)
Unreachable code, but reachable with exception
Provisioning profile doesn't include the application-identifier and keychain-access-groups entitlements
Sword in the Stone story where the sword was held in place by electromagnets
Is a lawful good "antagonist" effective?
Fourth person (in Slavey language)
Does CloudFront support S3 signature version 4 for KMS encrypted objects?
Should AWS CloudFront *increase* load time for infrequently accessed files?Forcing CloudFront to pass-through the latest HTML file from S3CloudFront + S3 Access Denied Using Signed CookiesNo Cache-Control Header for files from AWS CloudFront with S3 OriginProblems with Gzip compression on Amazon CloudFrontsetting S3 object to public automaticallyAWS CloudFront not caching S3 contentHow do I limit S3 object access to CloudFront only?AWS SES Encryption vs S3 bucket encryptionEditable URL Rewrite Map for CloudFront/S3 Website using Lambda@Edge
I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?
It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.
Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?
amazon-web-services amazon-s3 encryption amazon-cloudfront kms
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?
It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.
Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?
amazon-web-services amazon-s3 encryption amazon-cloudfront kms
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46
add a comment |
I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?
It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.
Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?
amazon-web-services amazon-s3 encryption amazon-cloudfront kms
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?
It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.
Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?
amazon-web-services amazon-s3 encryption amazon-cloudfront kms
amazon-web-services amazon-s3 encryption amazon-cloudfront kms
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
asked May 13 '16 at 17:46
DJ TarazonaDJ Tarazona
1365
1365
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46
add a comment |
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46
add a comment |
1 Answer
1
active
oldest
votes
You need to configure your AWS Signature Version, e.g.
aws configure set default.s3.signature_version s3v4
or for the specific profile:
aws configure set profile.<profilename>.s3.signature_version s3v4
Then re-try, e.g.
aws s3 cp s3://rkbtest/check.png ./
Source: aws/aws-cli/issues/1006 at GitHub.
If using curl/wget command, you need to add extra Authorization header in your request, e.g.
GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000
Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=
Syntax: Authorization: AWS AWSAccessKeyId:Signature.
See: Signing and Authenticating REST Requests.
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f776659%2fdoes-cloudfront-support-s3-signature-version-4-for-kms-encrypted-objects%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You need to configure your AWS Signature Version, e.g.
aws configure set default.s3.signature_version s3v4
or for the specific profile:
aws configure set profile.<profilename>.s3.signature_version s3v4
Then re-try, e.g.
aws s3 cp s3://rkbtest/check.png ./
Source: aws/aws-cli/issues/1006 at GitHub.
If using curl/wget command, you need to add extra Authorization header in your request, e.g.
GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000
Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=
Syntax: Authorization: AWS AWSAccessKeyId:Signature.
See: Signing and Authenticating REST Requests.
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
add a comment |
You need to configure your AWS Signature Version, e.g.
aws configure set default.s3.signature_version s3v4
or for the specific profile:
aws configure set profile.<profilename>.s3.signature_version s3v4
Then re-try, e.g.
aws s3 cp s3://rkbtest/check.png ./
Source: aws/aws-cli/issues/1006 at GitHub.
If using curl/wget command, you need to add extra Authorization header in your request, e.g.
GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000
Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=
Syntax: Authorization: AWS AWSAccessKeyId:Signature.
See: Signing and Authenticating REST Requests.
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
add a comment |
You need to configure your AWS Signature Version, e.g.
aws configure set default.s3.signature_version s3v4
or for the specific profile:
aws configure set profile.<profilename>.s3.signature_version s3v4
Then re-try, e.g.
aws s3 cp s3://rkbtest/check.png ./
Source: aws/aws-cli/issues/1006 at GitHub.
If using curl/wget command, you need to add extra Authorization header in your request, e.g.
GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000
Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=
Syntax: Authorization: AWS AWSAccessKeyId:Signature.
See: Signing and Authenticating REST Requests.
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
You need to configure your AWS Signature Version, e.g.
aws configure set default.s3.signature_version s3v4
or for the specific profile:
aws configure set profile.<profilename>.s3.signature_version s3v4
Then re-try, e.g.
aws s3 cp s3://rkbtest/check.png ./
Source: aws/aws-cli/issues/1006 at GitHub.
If using curl/wget command, you need to add extra Authorization header in your request, e.g.
GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000
Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=
Syntax: Authorization: AWS AWSAccessKeyId:Signature.
See: Signing and Authenticating REST Requests.
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
answered Sep 29 '17 at 12:56
kenorbkenorb
3,1333042
3,1333042
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f776659%2fdoes-cloudfront-support-s3-signature-version-4-for-kms-encrypted-objects%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Does it make sense to use CloudFront and S3/SSE-KMS together? The object would presumably be stored unencrypted in the CloudFront edge cache, which seems like it would rather defeat the purpose of storing it encrypted in S3 in the first place. Not trying to be pedantic, but I'm not sure this is a problem they would want to solve.
– Michael - sqlbot
May 13 '16 at 21:45
@Michael-sqlbot That is a very good point. I was wondering about this at one point but it slipped my mind. However, encrypting the S3 objects could still protect the data from the unlikely theft of S3 drives (and not CloudFront cache drives). Also, is there documentation that confirms the CloudFront edge cache is unencrypted? I assume it is unencrypted.
– DJ Tarazona
May 13 '16 at 22:46