In this article:
Applicable to:
- Connector: AWS S3 real-time connection logs
- Terraform
Overview
When usingSSE-KMS
, users configuring real time connection logs to AWS S3 buckets may see empty files, and receive repeated Your S3 sync is experiencing issues
.
Cause
This is related to the use of SSE-KMS
and per AWS documentation here:
Where:
"To successfully make a PutObject
request to encrypt an object with an AWS KMS key to Amazon S3, you need kms:GenerateDataKey
permissions on the key. To download an object encrypted with an AWS KMS key, you need kms:Decrypt
permissions for the key. To perform a multipart upload to encrypt an object with an AWS KMS key, you must have the kms:GenerateDataKey
and kms:Decrypt
permissions for the key."
Workaround
Use SSE-S3
, or to use SSE-KMS
:
Define GenerateDataKey and Decrypt kms keys, similar to:
# apply kms:GenerateDataKey and kms:Decrypt
statement {
actions = [
"kms:GenerateDataKey",
"kms:Decrypt"
]
resources = [
aws_kms_key_this.arn
]
}