vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/s3api/en-us_topic_0125560445.html
Jawei, Li 1a4c1a720a OBS s3api 2.0.38.SP5 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Jawei, Li <lijiawei5@huawei.com>
Co-committed-by: Jawei, Li <lijiawei5@huawei.com>
2022-11-16 14:51:13 +00:00

79 lines
6.7 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0125560445"></a><a name="EN-US_TOPIC_0125560445"></a>
<h1 class="topictitle1">SSE-KMS</h1>
<div id="body1463023869053"><p id="EN-US_TOPIC_0125560445__p15604658104511">In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. Only users with the tenant_admin role can use SSE-KMS interfaces. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS. OBS does not support KMS with multiple projects.</p>
<p id="EN-US_TOPIC_0125560445__p22712686113454"><a href="#EN-US_TOPIC_0125560445__table3087586113454">Table 1</a> lists two headers that are added to support SSE-KMS in SSE-KMS mode.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560445__table3087586113454"></a><a name="table3087586113454"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560445__table3087586113454" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Headers needed in SSE-KMS mode</caption><thead align="left"><tr id="EN-US_TOPIC_0125560445__row163412111385"><th align="left" class="cellrowborder" valign="top" width="26.26%" id="mcps1.3.3.2.3.1.1"><p id="EN-US_TOPIC_0125560445__p13571117387">Header</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.74000000000001%" id="mcps1.3.3.2.3.1.2"><p id="EN-US_TOPIC_0125560445__p1135131112382">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560445__row51205044113454"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560445__p53967936113454">x-amz-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560445__p9326663113454">Indicates that SSE-KMS is used. Objects are encrypted using SSE-KMS.</p>
<p id="EN-US_TOPIC_0125560445__p19164125012547">Example:</p>
<p id="EN-US_TOPIC_0125560445__p16831109113454">x-amz-server-side-encryption:aws:kms</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row17262259113454"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560445__p56065772113454">x-amz-server-side-encryption-aws-kms-key-id</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560445__p45033689113454">Indicates the master key ID of an encrypted object. This header is used in SSE-KMS mode. If the customer does not provide the master key, the default master key will be used.</p>
<p id="EN-US_TOPIC_0125560445__p84781716550">Example:</p>
<p id="EN-US_TOPIC_0125560445__p2650023113454">x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:sichuan:domainiddomainiddomainiddoma0001:key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0</p>
<p id="EN-US_TOPIC_0125560445__p18707114515461">Note:</p>
<p id="EN-US_TOPIC_0125560445__p12707104511464">sichuan: indicates the region name. Set the value based on site requirements.</p>
<p id="EN-US_TOPIC_0125560445__p8707194594614">domainiddomainiddomainiddoma0001: indicates the tenant ID. Set the value based on site requirements.</p>
<p id="EN-US_TOPIC_0125560445__p1270819459463">key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0: indicates the key ID. Set the value based on site requirements.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560445__table13325310113454" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Interfaces to which the newly added headers apply</caption><thead align="left"><tr id="EN-US_TOPIC_0125560445__row61931835113454"><th align="left" class="cellrowborder" valign="top" width="100%" id="mcps1.3.4.2.2.1.1"><p id="EN-US_TOPIC_0125560445__p50422727113454">Interface</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560445__row57709047113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p43921203113454">PUT Object</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row59746514113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p7629452113454">POST Object</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row1556210113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p58944196113454">PUT Object - Copy (the newly added headers apply to target objects)</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560445__row60735723113454"><td class="cellrowborder" valign="top" width="100%" headers="mcps1.3.4.2.2.1.1 "><p id="EN-US_TOPIC_0125560445__p20646494113454">Initiate Multipart Upload</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560445__p61753355113454">OBS supports bucket policies. If you want to restrict server-side encryption for all objects stored in a bucket, you can use bucket policies. For example, if an object upload request does not contain <strong id="EN-US_TOPIC_0125560445__b18909286113454">x-amz-server-side-encryption:"aws:kms"</strong>, the header for requesting server-side encryption (SSE-KMS), the following bucket policy rejects the upload request:</p>
<p id="EN-US_TOPIC_0125560445__p35965848113454">{</p>
<p id="EN-US_TOPIC_0125560445__p55257178113454">"Version":"2008-10-17",</p>
<p id="EN-US_TOPIC_0125560445__p27552557113454">"Id":"PutObjPolicy",</p>
<p id="EN-US_TOPIC_0125560445__p46646427113454">"Statement":[{</p>
<p id="EN-US_TOPIC_0125560445__p17164659113454">"Sid":"DenyUnEncryptedObjectUploads",</p>
<p id="EN-US_TOPIC_0125560445__p20264208113454">"Effect":"Deny",</p>
<p id="EN-US_TOPIC_0125560445__p48160145113454">"Principal":"*",</p>
<p id="EN-US_TOPIC_0125560445__p30788129113454">"Action":"s3:PutObject",</p>
<p id="EN-US_TOPIC_0125560445__p8657712113454">"Resource":"arn:aws:s3:::YourBucket/*",</p>
<p id="EN-US_TOPIC_0125560445__p10810552113454">"Condition":{</p>
<p id="EN-US_TOPIC_0125560445__p30186104113454">"StringNotEquals":{</p>
<p id="EN-US_TOPIC_0125560445__p3239482113454">"s3:x-amz-server-side-encryption":"aws:kms"</p>
<p id="EN-US_TOPIC_0125560445__p29155344113454">}</p>
<p id="EN-US_TOPIC_0125560445__p61071505113454">}</p>
<p id="EN-US_TOPIC_0125560445__p12772640113454">}</p>
<p id="EN-US_TOPIC_0125560445__p47844901113454">]</p>
<p id="EN-US_TOPIC_0125560445__p27950929113454">}</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0125560343.html">Server-Side Encryption</a></div>
</div>
</div>
View Git Blame Copy Permalink