AWS: Decrypt SES / KMS Emails
I played around with the SES email acceptance rulesets today. I have defined the s3 bucket to store incoming emails. I also checked the "Encrypt message" option with the primary kms key for SES.
After that, I realized that I didn't know how to decrypt them, so I removed the encryption setting.
Now I have mail that I cannot open. Can someone tell me how to do this?
source to share
I will explain what happened.
S3 has two encryption modes (briefly and SSE) as defined here :
Server side encryption. You ask Amazon S3 to encrypt your object before storing it to disks in your datacenters and decrypting it when the objects are loaded.
Client encryption. You can encrypt client side data and upload encrypted data to Amazon S3. In this case, you control the encryption process, encryption keys, and related tools.
SSE is easy for users as it is handled transparently by S3. CSE gets a little tricky as users / clients need to decrypt the data from their end.
SES now uses CSE as stated here :
Your mail is encrypted by Amazon SAS using the Amazon S3 encryption client before mail is sent to Amazon S3 for storage. It is not encrypted using Amazon S3 Server Side Encryption. This means that you must use the Amazon S3 Encryption Client to decrypt email after retrieving from Amazon S3, as the service does not have access to using AWS KMS keys for decryption.
If you follow the links on the same page, you will end up here , which contains more information on receiving and decrypting emails.
source to share