Upload failure to S3 bucket with server-side encryption :: Support Forum

Rinaldo
Joined:: 2018-11-30
Posts:: 3
Location:: United Kingdom

Upload failure to S3 bucket with server-side encryption

2018-11-30 16:29

I have an S3 bucket with server-side encryption enabled.
I can successfully use winSCP to connect to the bucket and download files. However I get an 'Access Denied' error if I try and upload files.

Is upload to a server-side encrypted S3 bucket supported by winSCP?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,441
Location:: Prague, Czechia

Re: Upload failure to S3 bucket with server-side encryption

2018-12-07

I have created a new bucket with AES-256 encryption. And I had no problems with uploading files to the bucket using an account with AmazonS3FullAccess policy.

Reply with quote

Rinaldo
Joined:: 2018-11-30
Posts:: 3
Location:: United Kingdom

Re: Upload failure to S3 bucket with server-side encryption

2018-12-11 11:07

martin wrote:

I have created a new bucket with AES-256 encryption. And I had no problems with uploading files to the bucket using an account with AmazonS3FullAccess policy.

Thanks for looking into this Martin. I'm still having problems with upload. My winSCP version is 5.13.5. Are there any special settings you need to set in winSCP to use server-side encryption? In particular, to use S3 server-side encryption, the HTTP header must have:
x-amz-server-side-encryption = AES256

Thanks,
Rinaldo

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,441
Location:: Prague, Czechia

Re: Upload failure to S3 bucket with server-side encryption

2018-12-14

OK, I've read more about this.

Do I understand right that your bucket relies on a client to ask for object encryption using x-amz-server-side-encryption header? And it has a policy to rejects any uploads that doesn't have the header set. Is that correct?
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

While, what I did is that I've set default encryption setting for my bucket. With that setting, client (WinSCP) does not need to do anything special. All stored/uploaded files are encrypted by default.

The "default encryption settings" seems like a better option for your needs. It was added only a year ago, so it may be why your bucket is using the "old" method.
https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Reply with quote

Rinaldo

2018-12-18 15:53

Thanks Martin, that's fixed it.

Reply with quote

martin◆ Site Admin

2018-12-21

Thanks for your feedback.

Reply with quote

qna87 Guest

Cannot change "default encryption settings"

2019-06-19 20:21

What if the "default encryption settings" for the S3 bucket is not something I have control over changing? How can I set WinSCP to do AES 256 encryption on an S3 bucket where I have access to upload files, but only if I can set the server side encryption on the client side?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,441
Location:: Prague, Czechia

Re: Cannot change "default encryption settings"

2019-06-21

qna87 wrote:

What if the "default encryption settings" for the S3 bucket is not something I have control over changing? How can I set WinSCP to do AES 256 encryption on an S3 bucket where I have access to upload files, but only if I can set the server side encryption on the client side?

Your other post:
https://winscp.net/forum/viewtopic.php?t=27957

Reply with quote