What should the Security Engineer do to achieve this?
Use envelope encryption with the AWS-managed CMK aws/s3.
Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€
Explanations:
Envelope encryption with the AWS-managed CMK aws/s3 is used for encrypting the S3 objects, not for controlling access to specific folders or limiting access based on IAM users.
Creating a customer-managed CMK with a key policy grantingkms:Decryptbased on the${aws:username}variable allows for decryption but doesn’t restrict access to specific folders in the S3 bucket. This approach focuses on encryption key access, not object-level access control.
Creating a customer-managed CMK for each user and adding each user as a key user in their corresponding key policy will allow key usage but does not solve the problem of limiting S3 object access to specific folders for each IAM user.
Modifying the IAM policy to grant access to a specific folder (arn:aws:s3:::examplebucket/${aws:username}/*) ensures that each user can only access their assigned folder, using the${aws:username}variable to dynamically reference the folder for each IAM user.