From 90cd63f7b23a41662b7158f39e48ec8fdef7997a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=C3=A1n=20Whelan?= Date: Wed, 8 Apr 2026 15:07:50 +0100 Subject: [PATCH 1/2] docs: document SSE-KMS incompatibility for S3 storage mapping buckets --- site/docs/getting-started/installation.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/site/docs/getting-started/installation.md b/site/docs/getting-started/installation.md index c671cfbd6fa..d5eda5fc481 100644 --- a/site/docs/getting-started/installation.md +++ b/site/docs/getting-started/installation.md @@ -114,6 +114,17 @@ Estuary's data plane IAM user will need the following actions: You can apply the policy through the [AWS Console](https://console.aws.amazon.com/s3/) or the `aws` CLI. The storage mapping dialog provides a ready-to-use policy JSON during connection testing. +#### S3 Bucket Encryption + +Estuary supports **SSE-S3** (Amazon S3 managed keys) for default bucket encryption. **SSE-KMS** (AWS Key Management Service) is **not supported** for storage mapping buckets because Estuary's data plane IAM user does not have access to your KMS keys. + +If your bucket uses SSE-KMS as the default encryption, change it to SSE-S3: + +1. In the [AWS Console](https://console.aws.amazon.com/s3/), navigate to your bucket. +2. Go to **Properties** > **Default encryption**. +3. Click **Edit** and change from **AWS Key Management Service key (SSE-KMS)** to **Amazon S3 managed key (SSE-S3)**. +4. Save the change, then retry the connection test in Estuary. + ### Azure Blob Storage For an [Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create) From 24e89f7aed9700ca19fc62cb0f1de45a63a2c751 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=C3=A1n=20Whelan?= Date: Wed, 8 Apr 2026 15:38:37 +0100 Subject: [PATCH 2/2] docs: add S3 encryption guidance and bucket policy tip for storage mappings --- site/docs/getting-started/installation.md | 31 ++++++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/site/docs/getting-started/installation.md b/site/docs/getting-started/installation.md index d5eda5fc481..69d202434bd 100644 --- a/site/docs/getting-started/installation.md +++ b/site/docs/getting-started/installation.md @@ -112,13 +112,36 @@ Estuary's data plane IAM user will need the following actions: * `s3:GetBucketPolicy` You can apply the policy through the [AWS Console](https://console.aws.amazon.com/s3/) or the `aws` CLI. -The storage mapping dialog provides a ready-to-use policy JSON during connection testing. -#### S3 Bucket Encryption +:::tip +The storage mapping dialog generates a complete bucket policy with the correct IAM ARNs for all data planes mapped to this bucket. Copy and paste it directly into your bucket's policy configuration — no manual ARN lookup needed. +::: -Estuary supports **SSE-S3** (Amazon S3 managed keys) for default bucket encryption. **SSE-KMS** (AWS Key Management Service) is **not supported** for storage mapping buckets because Estuary's data plane IAM user does not have access to your KMS keys. +#### S3 Bucket Encryption -If your bucket uses SSE-KMS as the default encryption, change it to SSE-S3: +S3 buckets are encrypted with **SSE-S3** (Amazon S3 managed keys) by default, which works with Estuary out of the box. + +If your bucket uses **SSE-KMS** (AWS Key Management Service) for default encryption, you must grant Estuary's data plane IAM user permissions on your KMS key. Add the following statement to your [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html): + +```json +{ + "Sid": "AllowEstuaryDataPlane", + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt", + "kms:DescribeKey" + ], + "Resource": "*" +} +``` + +Replace `` with your data plane's IAM ARN, found under **Admin > Settings > Data Planes** in the Estuary dashboard. + +Alternatively, you can switch your bucket's default encryption from SSE-KMS to SSE-S3 to avoid managing KMS permissions: 1. In the [AWS Console](https://console.aws.amazon.com/s3/), navigate to your bucket. 2. Go to **Properties** > **Default encryption**.