Alt 1 - Encryption using Amazon key (SSE-S3)
Go to your bucket Properties and find the encryption section and enable it.
The "Amazon S3 key" encryption key type option will work right away while using your own key will need another permission for the AWS KMS key (see below).
Alt 2 - Encryption using your own KMS key (SSE-KMS)
Go to your bucket Properties and find the encryption section and enable it.
Select the second "Encryption key type" option and select you KMS key or create one (the AWS managed key option is not supported).
Edit the policy of the KMS key and add the statement below and update the "Resource" with the KMS ARN.
If you are using the app.funnel.io service
{
"Sid": "Enable funnel encrypting incoming S3 data",
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:iam::071303700930:role/funnel-export-executor"
},
"Action":
[
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:{region}:{account-id}:key/{kms-key-id}"
}
If you are using the app.eu.funnel.io service
{
"Sid": "Enable funnel encrypting incoming S3 data",
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:iam::924192298621:role/funnel-s3-uploader-eu"
},
"Action":
[
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:{region}:{account-id}:key/{kms-key-id}"
}
kms:decrypt
is needed due to the S3 export making use of multi upload when the file is over a certain size.