Using KMS to manage your keys
AWS Key Management Service (KMS) is one option for managing your encryption keys for SSE. This gives you
slightly more control than
SSE-S3, but also requires a little bit of configuration on your part.
Create a KMS key
To use KMS with SFTP Gateway, you have to first create a key within IAM.
- Go to IAM > Encrypt Keys
- Click Create Key
- Step through the wizard until you reach the Define Key Usage Permissions page
- Check the box next to the role for your EC2 instance. (If you're not sure which one, you can find this in the EC2 instance details)
- Finish the wizard for creating the KMS key
Once you have a KMS key, copy the
Encrypting user uploads with KMS
Configure a user with
addsftpuser. When presented with encryption options, choose
KMS. Then provide the
arn of the KMS key.
Files transferred to the user's uploads directory will be encrypted with KMS. These files will still be readable from the AWS console.
Uploading KMS-encrypted files to other locations
You will need to use the AWS CLI if you want to encrypt files with KMS in other S3 locations, such as:
- A user's private download directory
- The shared download directory
This is the syntax to use:
aws s3api put-object \ --body file.txt \ --bucket sftpgateway-i-0123456789abcde \ --key testuser/downloads/file.txt \ --server-side-encryption aws:kms \ --ssekms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdefghi-0123-4567-abcd-0123456789