Encrypt OSS resources across Alibaba Cloud accounts by using KMS, Encrypt OSS resources across Alibaba Cloud accounts by using KMS - Object Storage Service

This topic describes how to use Alibaba Cloud Account A to encrypt Object Storage Service (OSS) resources in Alibaba Cloud Account B by using Key Management Service (KMS).

Prerequisites

A bucket is created by using Alibaba Cloud Account B. For more information, see Create a bucket.
A customer master key (CMK) is created by using Alibaba Cloud Account A in the region in which the bucket created by Alibaba Cloud Account B is located. For more information, see Create a CMK.
The AliyunKMSFullAccess policy is attached to a RAM user of Alibaba Cloud Account A. For more information, see Grant permissions to RAM users.

Procedure

Grant the oss:PutObject permission to the RAM user of Alibaba Cloud Account A by using bucket policies of Alibaba Cloud Account B.

Log on to the OSS console with Alibaba Cloud Account B.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket that stores OSS resources you want to encrypt.
In the left-side navigation tree, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add in GUI and click Authorize.

In the Authorize panel, configure the parameters described in the following table. Then, click OK.

Parameter	Description
Applied To	Select Whole Bucket.
Authorized User	Select Other Accounts and enter the ID of the RAM user of Alibaba Cloud Account A.
Authorized Operation	Select Advanced Settings.
Effect	Select Allow.
Actions	Select `oss:PutObject` from the drop-down list.

Encrypt objects in the bucket of Alibaba Cloud Account B by using the RAM user of Alibaba Cloud Account A.
Use the OSS console
1. Log on to the Alibaba Cloud Management Console as the RAM user of Alibaba Cloud Account A. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
2. Go to the object upload page of the bucket.
  The URL of the object upload page is in the following format: https://oss.console.alibabacloud.com/bucket/{regionid}/{bucketname}/object/upload. Replace the region ID and bucket name with your actual information.
3. Upload an object and set the object encryption method to KMS. Specify the CMK that was created by Alibaba Cloud Account A.
  For more information, see Simple upload.
Use ossutil
1. Configure access credentials for the RAM user of Alibaba Cloud Account A.
  Set endpoint, accessKeyID, and accessKeySecret with the endpoint of the bucket created by Alibaba Cloud Account B, the AccessKey ID of the RAM user of Alibaba Cloud Account A, and the AccessKey secret of RAM user of Alibaba Cloud Account A, respectively.
```
[Credentials]
endpoint = oss-cn-hangzhou.aliyuncs.com
accessKeyID = LTAI*************
accessKeySecret = 67DL*******************
```
2. Run the following command as the RAM user of Alibaba Cloud Account A to upload the examplefile.txt object to the examplebucket bucket of Alibaba Cloud Account B. Set the encryption method to KMS, the encryption algorithm to AES256, and the encryption key to the CMK created by Alibaba Cloud Account A.
```
ossutil api put-object --bucket examplebucket --key examplefile.txt  --server-side-encryption KMS --server-side-data-encryption AES256 --server-side-encryption-key-id 7bd6e2fe-cd0e-483e-acb0-f4b9e1******
```
  If the encryption algorithm of the CMK used by the RAM user of Alibaba Cloud Account A to upload the object is SM4, you must specify the SM4 encryption algorithm in the x-oss-server-side-data-encryption header. Example:
```
ossutil api put-object --bucket examplebucket --key examplefile.txt  --server-side-encryption KMS --server-side-data-encryption SM4 --server-side-encryption-key-id 7bd6e2fe-cd0e-483e-acb0-f4b9e1******
```

Prerequisites

Procedure

Use the OSS console

Use ossutil