external/og-aws
1
0
Fork 0
mirror of https://github.com/nickpoida/og-aws.git synced 2025-02-13 10:21:57 +00:00
Code Issues Releases Wiki Activity

add KMS gotcha about s3 multi part uploads (#458)

Browse source
This commit is contained in:
Andreas Zoellner 2017-06-24 12:50:16 -07:00 committed by Thanos Baskous
parent f7efa37bc6
commit 8b03bc0b7b
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -1505,6 +1505,7 @@ KMS
- 🔸The Encrypt API only works with < 4KB of data. Larger data requires generating and managing a [data key](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) in your application layer. - 🔸The Encrypt API only works with < 4KB of data. Larger data requires generating and managing a [data key](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) in your application layer.
- 🔸KMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3. - 🔸KMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3.
- 🔸In order to Encrypt a multi-part upload to S3, the KMS Key Policy needs to allow "kms:Decrypt" and "kms:GenerateDataKey*" in addition to "kms:Encrypt". Otherwise the upload will fail with an AccessDenied error.
CloudFront CloudFront
---------- ----------