# SSE-KMS Encryption

This section describes how to connect an AWS S3 Bucket with [SSE-KMS Encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) enabled. General instructions for configuring your AWS account to allow ICA to connect to an S3 bucket are found on [this page](https://help.ica.illumina.com/home/h-storage/s-awss3).

{% embed url="<https://www.youtube.com/watch?v=CrcZ5GtSMSY>" %}
Connect an AWS S3 Bucket with SSE-KMS Encryption Enabled
{% endembed %}

## Create an S3 bucket with SSE-KMS

Follow the [AWS instructions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-bucket-key.html) for how to create S3 bucket with SSE-KMS key.

{% hint style="warning" %}
S3-SSE-KMS must be in the same region as your ICA v2.0 project. See the [ICA S3 bucket documentation](https://help.ica.illumina.com/home/h-storage/s-awss3) for more information.
{% endhint %}

In the "Default encryption" section, enable Server-side encryption and choose `AWS Key Management Service key (SSE-KMS)`. Then select `Choose your AWS KMS key`.

{% hint style="info" %}
If you do not have an existing customer managed key, click `Create a KMS key` and follow [these steps](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) from AWS.
{% endhint %}

<figure><img src="https://3193631692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWUqIqZhOK_i4HqCUpT%2Fuploads%2Fgit-blob-828817651799a93ac23a03c4bc403a1de7cb34d5%2Fimage%20(120).png?alt=media" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
Once the bucket is set, create a folder with encryption enabled in the bucket that will be linked in the ICA storage configuration. This folder will be connected to ICA as a [prefix](#create-the-s3-sse-kms-configuration-in-ica). Although it is technically possible to use the **root folder**, this **is not recommended** as it will cause the S3 bucket to no longer be available for other projects.
{% endhint %}

![sse-kms-1](https://3193631692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWUqIqZhOK_i4HqCUpT%2Fuploads%2Fgit-blob-b13ac474bcefbc312ab7d23e7883b6c4852c5f22%2Fsse-kms-1.png?alt=media\&token=9e1c61a6-94a1-4f15-831e-de0255f84cf9)

## Connect the S3-SSE-KMS to ICA

Follow the [general instructions ](https://help.ica.illumina.com/home/h-storage/s-awss3)for connecting an S3 bucket to ICA.

In the step [Create AWS IAM Policy (IAM User) ](https://help.ica.illumina.com/home/h-storage/iam-user-method#id-2-create-data-access-permission-aws-iam-policy)or [Create AWS IAM Policy (IAM Role)](https://help.ica.illumina.com/home/h-storage/iam-role-method#id-2-create-data-access-permission-aws-iam-policy) update the following:

* Add permission to use KMS key by adding `kms:Decrypt`, `kms:Encrypt`, and `kms:GenerateDataKey`
* Add the ARN KMS key `arn:aws:kms:xxx` on the first "Resource"
* Depending on the bucket type (Unversioned, Versioned or Suspended) the permissions must match the following.

{% tabs %}
{% tab title="Unversioned" %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "s3:PutBucketNotification",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:kms:xxx",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:RestoreObject",
                "s3:DeleteObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/YOUR_FOLDER_NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```

{% endtab %}

{% tab title="Versioned or Suspended" %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "s3:PutBucketNotification",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:GetBucketLocation",
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning"
            ],
            "Resource": [
                "arn:aws:kms:xxx",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:RestoreObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging",
                "s3:GetObjectVersionTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/YOUR_FOLDER_NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```

{% endtab %}
{% endtabs %}

At the end of the policy setting, there should be 3 permissions listed in the "Summary".

![sse-kms-2](https://3193631692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWUqIqZhOK_i4HqCUpT%2Fuploads%2Fgit-blob-8a269de14a5b226832e1bf75efba4084ee1d3d21%2Fsse-kms-2.png?alt=media\&token=58df674e-0fd7-40cd-8378-964e8fd9afab)

## Create the S3-SSE-KMS configuration in ICA

Follow the [general instructions](https://help.ica.illumina.com/home/h-storage/..#create-a-storage-configuration) for how to create a storage configuration in ICA.

On step 3 in process above, continue with the `[Optional] Server Side Encryption` to enter the algorithm and key name for server-side encryption processes.

* On "Algorithm", input `aws:kms`
* On "Key Name", input the ARN KMS key: `arn:aws:kms:xxx`

{% hint style="warning" %}
Although "Key prefix" is optional, it is highly recommended to use this and not use the root folder of your S3 bucket. "Key prefix" refers to the folder name in the bucket which you created.

Once a key prefix is used in a storage configuration, no additional storage configurations can be created under that same path.
{% endhint %}

<figure><img src="https://3193631692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWUqIqZhOK_i4HqCUpT%2Fuploads%2Fgit-blob-33524a2f6e025ddd10fc5c936eef71b1a4f6a67d%2Fimage%20(119).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

## Cross-Account Copy Setup for S3 buckets with SSE-KMS encryption

### KMS Policy

In addition to following the instructions to [Enable Cross-Account Access (IAM User)](https://help.ica.illumina.com/home/h-storage/iam-user-method#id-8-enabling-cross-account-access-for-copy-and-move-operations) and [Enable Cross-Account Access (IAM Role)](https://help.ica.illumina.com/home/h-storage/iam-role-method#id-8-enabling-cross-account-access-for-copy-and-move-operations), the **KMS policy** must include the following statement for AWS S3 Bucket with SSE-KMS Encryption (refer to the Role ARN table from the linked page for the `ASSUME_ROLE_ARN` value):

```json
    {
        "Sid": "AllowCrossAccountAccess",
        "Effect": "Allow",
        "Principal": {
            "AWS": "ASSUME_ROLE_ARN"
        },
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
        ],
        "Resource": "*"
    }
```