I have a bucket that I am using to serve content via CloudFront Distribution. Currently OAI is utilised to authenticate requests to the bucket, but as an extra layer of security I am looking to add KMS encryption for the files in the bucket.
I have followed the documentation here to enable retrieving of KMS encrypted files, however once applied I cannot access any files (KMS encrypted or not) in the bucket via the CDN and get an InvalidToken error:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidToken</Code>
<Message>The provided token is malformed or otherwise invalid.</Message>
<Token-0>{TOKEN}</Token-0>
<RequestId>{REQUEST_ID}</RequestId>
<HostId>{HOST_ID}</HostId>
</Error>
If I remove the OAI I can retrieve all files as expected, and if I remove the KMS decryption lambda I can retrieve unencrypted files as expect, but when both are in place I cant get anything. When checking the output requests from the lambda the only difference between with and without OAI is the origin authMethod i.e. none vs origin-access-identity.
What is causing this conflict in authentication, and is it possible to have both these methods in place at the same time so that only requests via the CF distribution can access the bucket and can decrypted KMS encrypted files there?
Not sure how I missed this, but in the documentation is states:
Currently, OAI only supports SSE-S3, which means customers cannot use SSE-KMS with OAI.
So at this stage it is not possible to use both OAI and KMS