bug: Localstack S3 Allows put-object and get-object on KMS encrypted objects after the KMS Key is Disabled #7782
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Using localstack, I uploaded an object to a s3 bucket specifying the server side encryption as aws:kms, an SSEKMSId, and an SSEKMSEncryption Context. I verified that the object was correctly uploaded with the property metadata:
awslocal --endpoint-url=http://localhost:4566/ s3api get-object --bucket attachments-development --key .attachments/9ca85a00cde7481c02ee01f2d5e06770/384d0c0a outfile.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-03-02T15:20:00+00:00",
"ContentLength": 12,
"ETag": "\"e4d7f1b4ed2e42d15898f4b27b019da4\"",
"VersionId": "null",
"ContentLanguage": "en-US",
"ContentType": "text/plain",
"ServerSideEncryption": "aws:kms",
"Metadata": {},
"SSEKMSKeyId": "arn:aws:kms:us-east-1:000000000000:key/89816c0d-acfc-4a76-aa18-cabc2c8e477c",
"TagCount": 2
}
I then Disabled the KMS Key and verified that it was disabled:
awslocal --endpoint-url=http://localhost:4566/ kms describe-key --key-id arn:aws:kms:us-east-1:000000000000:key/89816c0d-acfc-4a76-aa18-cabc2c8e477c
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "89816c0d-acfc-4a76-aa18-cabc2c8e477c",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/89816c0d-acfc-4a76-aa18-cabc2c8e477c",
"CreationDate": "2023-03-02T10:20:00-05:00",
"Enabled": false,
"Description": "kms test with localstack",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Disabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Then, when I tried to do a get-object command on the encrypted object, I expected a DisabledException since s3 shouldn't be able to decrypt the encrypted object with a disabled key. However, the get-object command completed without an error and returned the decrypted text.
Expected Behavior
I would expect that put-object, copy-object, and get-object should throw an error if they specify a SSE-KMS key that has been disabled or does not exist.
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker compose -f localstack/docker-compose.dev.yml up -d
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
awslocal --endpoint-url=http://localhost:4566 s3api mb s3://mybucket
awslocal --endpoint-url=http://localhost:4566 kms create-key
awslocal --endpoint-url=http://localhost:4566 s3api put-object --bucket <BUCKET NAME> --key <Object key> --server-side-encryption aws:kms -–ssekms-key-id <KMS ARN> --body outfile.txt
awslocal --endpoint-url=http://localhost:4566/ s3api get-object --bucket <Bucket name> --key <Object key> outfile.txt
(Expect that this works and specifies the object is encrypted with aws:kms)
awslocal kms disable-key --key-id <KMS ARN>
awslocal --endpoint-url=http://localhost:4566/ s3api get-object --bucket <Bucket name> --key <Object key> outfile.txt
(Expect that this to throw an error but it DOES NOT)
ALTERNATIVELY
more concisely put
awslocal --endpoint-url=http://localhost:4566 s3api mb s3://mybucket
awslocal --endpoint-url=http://localhost:4566 s3api put-object --bucket <BUCKET NAME> --key <Object key> --server-side-encryption aws:kms -–ssekms-key-id <KMS ARN THAT DOES NOT EXIST> --body outfile.txt
The above command does not throw an error when I believe that it should
Environment
- OS: macOS Ventura 13.1
- LocalStack: 1.1.0Anything else?
No response