vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/s3api/en-us_topic_0125560445.html
zhangyue 5eee175e13 OBS S3 API 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-03-14 12:40:31 +00:00

80 lines
6.1 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0125560445"></a><a name="EN-US_TOPIC_0125560445"></a>
<h1 class="topictitle1">SSE-KMS</h1>
<div id="body1463023869053"><p id="EN-US_TOPIC_0125560445__p15604658104511">In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. Only users with the tenant_admin role can use SSE-KMS interfaces. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS. OBS does not support KMS with multiple projects.</p>
<p id="EN-US_TOPIC_0125560445__p22712686113454"><a href="#EN-US_TOPIC_0125560445__table3087586113454">Table 1</a> lists two headers that are added to support SSE-KMS in SSE-KMS mode.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560445__table3087586113454"></a><a name="table3087586113454"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560445__table3087586113454" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Headers needed in SSE-KMS mode</caption><thead align="left"><tr id="EN-US_TOPIC_0125560445__row163412111385"><th align="left" class="cellrowborder" valign="top" width="26.26%" id="mcps1.3.3.2.3.1.1"><p id="EN-US_TOPIC_0125560445__p13571117387">Header</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.74000000000001%" id="mcps1.3.3.2.3.1.2"><p id="EN-US_TOPIC_0125560445__p1135131112382">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560445__row51205044113454"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560445__p53967936113454">x-amz-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560445__p9326663113454">Indicates that SSE-KMS is used. Objects are encrypted using SSE-KMS.</p>
<p id="EN-US_TOPIC_0125560445__p19164125012547">Example:</p>
<p id="EN-US_TOPIC_0125560445__p16831109113454">x-amz-server-side-encryption:aws:kms</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row17262259113454"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560445__p56065772113454">x-amz-server-side-encryption-aws-kms-key-id</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560445__p45033689113454">Indicates the master key ID of an encrypted object. This header is used in SSE-KMS mode. If the customer does not provide the master key, the default master key will be used.</p>
<p id="EN-US_TOPIC_0125560445__p84781716550">Example:</p>
<p id="EN-US_TOPIC_0125560445__p2650023113454">x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:sichuan:domainiddomainiddomainiddoma0001:key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0</p>
<p id="EN-US_TOPIC_0125560445__p18707114515461">Note:</p>
<p id="EN-US_TOPIC_0125560445__p12707104511464">sichuan: indicates the region name. Set the value based on site requirements.</p>
<p id="EN-US_TOPIC_0125560445__p8707194594614">domainiddomainiddomainiddoma0001: indicates the tenant ID. Set the value based on site requirements.</p>
<p id="EN-US_TOPIC_0125560445__p1270819459463">key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0: indicates the key ID. Set the value based on site requirements.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560445__table13325310113454" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Interfaces to which the newly added headers apply</caption><thead align="left"><tr id="EN-US_TOPIC_0125560445__row61931835113454"><th align="left" class="cellrowborder" valign="top" width="100%" id="mcps1.3.4.2.2.1.1"><p id="EN-US_TOPIC_0125560445__p50422727113454">Interface</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560445__row57709047113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p43921203113454">PUT Object</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row59746514113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p7629452113454">POST Object</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row1556210113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p58944196113454">PUT Object - Copy (the newly added headers apply to target objects)</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row60735723113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p20646494113454">Initiate Multipart Upload</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="p" id="EN-US_TOPIC_0125560445__p61753355113454">OBS supports bucket policies. If you want to restrict server-side encryption for all objects stored in a bucket, you can use bucket policies. For example, if an object upload request does not contain <strong id="EN-US_TOPIC_0125560445__b18909286113454">x-amz-server-side-encryption:"aws:kms"</strong>, the header for requesting server-side encryption (SSE-KMS), the following bucket policy rejects the upload request:<pre class="screen" id="EN-US_TOPIC_0125560445__screen1626613663319">{
"Version":"2008-10-17",
"Id":"PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}</pre>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0125560343.html">Server-Side Encryption</a></div>
</div>
</div>
View Git Blame Copy Permalink