[Cyberduck-trac] [Cyberduck] #10488: Cyberduck ignores S3 upload encryption policy when creating a Cryptomator Vault. User unable to create vault in bucket requiring `s3:x-amz-server-side-encryption": "AES256`

Cyberduck trac at cyberduck.io
Sun Oct 7 19:34:22 UTC 2018


#10488: Cyberduck ignores S3 upload encryption policy when creating a Cryptomator
Vault. User unable to create vault in bucket requiring `s3:x-amz-server-
side-encryption": "AES256`
-----------------------------+----------------------
 Reporter:  a.cyberduc.user  |         Owner:
     Type:  defect           |        Status:  new
 Priority:  normal           |     Milestone:
Component:  s3               |       Version:  6.8.0
 Severity:  normal           |    Resolution:
 Keywords:                   |  Architecture:
 Platform:  macOS 10.14      |
-----------------------------+----------------------
Description changed by a.cyberduc.user:

Old description:

> Hi there.  It took a bit of testing to narrow this one down, but I
> believe you will be able to reproduce this issue pretty easily.
>
> Me:
> macOS 10.14 (18A391)
> Cyberduck 6.7.0 (28613)
>
> The issue:
>
> I have an AWS user with Administrator privlidges.
> This user can create and upload files at will via either the AWS Web UI
> or CyberDuck.
> This user is not able to create a new Cryptomator vault, using Cyberduck.
>
> How to reproduce:
> 0. make sure the S3 > Encryption setting is set to `SS3-S3 (AES 256)` in
> CyberDuck settings
> 1. create an IAM user with the Administrator policy (specified below)
> 2. create a S3 bucket with the Bucket Policy (also, below)
> 3. configure Cyberduck to connect to the bucket with the user key/secret
> from step 1
> 4. attempt to create a folder in bucket; this should work
> 5. attempt to create a new encrypted vault; this should faile.
>
> Here's the bucket policy i am using.  `MY_BUCKET_NAME` replaces the
> actual bucket name.
>
> ```
> {
>     "Version": "2012-10-17",
>     "Id": "force encrypt at rest for date",
>     "Statement": [
>         {
>             "Sid": "DenyIncorrectEncryptionHeader",
>             "Effect": "Deny",
>             "Principal": "*",
>             "Action": "s3:PutObject",
>             "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
>             "Condition": {
>                 "StringNotEquals": {
>                     "s3:x-amz-server-side-encryption": "AES256"
>                 }
>             }
>         },
>         {
>             "Sid": "DenyUnEncryptedObjectUploads",
>             "Effect": "Deny",
>             "Principal": "*",
>             "Action": "s3:PutObject",
>             "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
>             "Condition": {
>                 "Null": {
>                     "s3:x-amz-server-side-encryption": "true"
>                 }
>             }
>         }
>     ]
> }
> ```
>
> Here's the User policy I am using; this is akin to root level access
>
> ```
> {
>     "Version": "2012-10-17",
>     "Statement": [
>         {
>             "Effect": "Allow",
>             "Action": "*",
>             "Resource": "*"
>         }
>     ]
> }
> ```
>

> Here's the Log from Cyberduck when connecting to the S3 bookmark with the
> Admin account detailed above. I am browsing a few directories deep to the
> location where I would like to create the Cryptomator vault:
>
> ```
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> 97ExqV0ZxTT3738rfjrj11aao9WfkncVQHeeplQ+dIjXKi0T7lEld0TMynLnmiivt0GV6ljAwwc=
> x-amz-request-id: 21444FBD145A6CEF
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> JnA/A9g9exOhYkmcaUXZ9KvSF1KkLqw7yYTjyetrv3R/uONMSF2pC4Hx2HpCXf4N5yDOBXA1no4=
> x-amz-request-id: 3ECF6D6D85C38D47
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> VC8tDFXQmPoePQ8mqJGd8HEg8IYT81qEJ/Wbi8yZRfM/r3yAJN1j1XKUe4wXKniFJ53YBjYX8JE=
> x-amz-request-id: EFC47358A535E5C9
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?location HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191709Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 400 Bad Request
> x-amz-request-id: 52BB6CC9CE3AC892
> x-amz-id-2:
> vYqxkFHosnfruN2rgqueimgCRGJa6kbqWujJms4SAWPlKGVLx3zSORRnU/3njjU9xOkmyjD6Wzk=
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> Connection: close
> Server: AmazonS3
> GET /?location HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191709Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> cpVbjy2IVm0bBBpE6f0kBdSd5rZICREAINp4q1h6Xe0KYpRrirdiyuJanbhwCBnebAUDBdwU5ck=
> x-amz-request-id: 0D441CA5B15F5A06
> Date: Sun, 07 Oct 2018 19:17:10 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?versioning HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> NgI8pq3aIfcB8E9J/uYQB7b7s/ShEpN5vCtxqNRVxxknCtY5J/DhlgxYCiHrmLwWhXSy70TOhQ0=
> x-amz-request-id: 3E745C0AA14E068C
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix&delimiter=%2F HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> LDOQYBUQ6Sf0upXWEw50XjGajrxBp9P8WhnK06A3rwjYpxQjoonA9/8zBbh1wc2ARpzmJ6nAbB0=
> x-amz-request-id: 1013309AC1494B4A
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> 25hm9HLudZxuLsQa7TYRQvudTQ7jfBpyJhdozM7elEa7Z5DSrB2A1nvGTH1DuJgc+7mV0xR3MAg=
> x-amz-request-id: 8FE7B857AF907F57
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:42 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191742Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> EqKTKvsUoGrGyMblZblrP+J1e4Hwyb4D+2ranblNBXpXXGTUTQNMvJMCKe00/P9q2Umiu6ZB3Mk=
> x-amz-request-id: DE75085D8F1512AC
> Date: Sun, 07 Oct 2018 19:17:43 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:42 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191742Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> Ukr6HK9nJb0XB0Axc/q0FwqvXipt1RA7d7HvR9vneairun8UTBoZI1UiUp2VFL9hDYGCIlA9meA=
> x-amz-request-id: 7DED0B45902B7187
> Date: Sun, 07 Oct 2018 19:17:43 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
>
> ```
>
> And here's me trying to create a `test-folder`. This action susceeds.
>
> ```
> PUT /MY_BUCKET_PREFIX/test-folder/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:54 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> x-amz-server-side-encryption: AES256
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191854Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> r61qLybeBa7YE1IVtwaTTha5af6zK2NVhQXF/pB1fTJ47VALfz5SK5LTEID8qm7lh9Pom3usfVI=
> x-amz-request-id: B95A0EB56F13EE9C
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-server-side-encryption: AES256
> ETag: "d41d8cd98f00b204e9800998ecf8427e"
> Content-Length: 0
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191855Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> TzzkuOrStHg1L7L/GA7z6ASRbcGTyuDnlgYm4Xn31tQIBZweIGlPNyZDnS1RfC5PZ9e6Zrzy6E4=
> x-amz-request-id: 8671AE55F534C81C
> Date: Sun, 07 Oct 2018 19:18:56 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191855Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> cQM2bEUrwyxpDe4/F0Br5I9iCoHVaiKt9uwTIvB6VPioIQO2O58ZRBPuhIDaDq/ScoJNkWtPn/0=
> x-amz-request-id: B9B127003293E008
> Date: Sun, 07 Oct 2018 19:18:56 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> ```
>
> And here's the log from trying to create a `test-vault`. I get this error
> in Cyberduck:
> ```
> Upload test-vault failed.
> Access Denied. Please contact your web hosting service provider for
> assistance.
> ```
>
> And here's the connection log. I clicked `try again` once before clicking
> cancel:
> ```
> PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:19:38 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191938Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:18 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192018Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:20 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192020Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> MkFr74BriPUXzjLVe9jwyyAJ+02odaOLCiUbCGPIYrjiU89rZCZBAwJB157vp462bUVWQo4/l+M=
> x-amz-request-id: 9A3EBDB60F0255CB
> Date: Sun, 07 Oct 2018 19:20:21 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:20 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192020Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> IsBWnSdi/uuzk/UNzZWM0iGLOWOv1OPSho2l9fRLb8NOzPuToba253FgK9CibO/ST0Hp3f6MFT4=
> x-amz-request-id: 76375E460D298CED
> Date: Sun, 07 Oct 2018 19:20:21 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> ```
>

> There is nothing particurally useful in `console.app` even after turning
> Cyberduck debugging mode on:
> ```
> default 12:19:28.792415 -0700   Cyberduck       27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 307 vs 532, 512, <private>
> default 12:20:09.333915 -0700   Cyberduck       27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 309 vs 536, 512, <private>
> default 12:20:15.921380 -0700   Cyberduck       27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 311 vs 540, 512, <private>
> default 12:20:22.104317 -0700   Cyberduck       Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.104550 -0700   Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.105861 -0700   Cyberduck       Discover <private>
> default 12:20:22.123759 -0700   Cyberduck       discovery complete: 3
> plugins
> default 12:20:22.124437 -0700   Cyberduck       Discover done
> default 12:20:22.124644 -0700   Cyberduck       Discover <private>
> default 12:20:22.144425 -0700   Cyberduck       discovery complete: 4
> plugins
> default 12:20:22.144500 -0700   Cyberduck       Discover done
> default 12:20:22.144642 -0700   Cyberduck       services: <private>
> default 12:20:22.145180 -0700   Cyberduck       Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.145425 -0700   Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.145947 -0700   Cyberduck       Discover <private>
> default 12:20:22.153916 -0700   Cyberduck       discovery complete: 3
> plugins
> default 12:20:22.154574 -0700   Cyberduck       Discover done
> default 12:20:22.154618 -0700   Cyberduck       Discover <private>
> default 12:20:22.164258 -0700   Cyberduck       discovery complete: 4
> plugins
> default 12:20:22.164372 -0700   Cyberduck       Discover done
> default 12:20:22.164552 -0700   Cyberduck       services: <private>
> default 12:20:22.164968 -0700   Cyberduck       Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.165115 -0700   Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.165515 -0700   Cyberduck       Discover <private>
> default 12:20:22.173573 -0700   Cyberduck       discovery complete: 3
> plugins
> default 12:20:22.174238 -0700   Cyberduck       Discover done
> default 12:20:22.174298 -0700   Cyberduck       Discover <private>
> default 12:20:22.184411 -0700   Cyberduck       discovery complete: 4
> plugins
> default 12:20:22.184491 -0700   Cyberduck       Discover done
> default 12:20:22.184633 -0700   Cyberduck       services: <private>
> default 12:20:22.185144 -0700   Cyberduck       Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.185333 -0700   Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.185877 -0700   Cyberduck       Discover <private>
> default 12:20:22.193870 -0700   Cyberduck       discovery complete: 3
> plugins
> default 12:20:22.194551 -0700   Cyberduck       Discover done
> default 12:20:22.194606 -0700   Cyberduck       Discover <private>
> default 12:20:22.205383 -0700   Cyberduck       discovery complete: 4
> plugins
> default 12:20:22.205486 -0700   Cyberduck       Discover done
> default 12:20:22.205676 -0700   Cyberduck       services: <private>
> ```
>

> As soon as i remove the bucket policy, i have no issues creating the
> vault.
>
> It appears that Cyberduck is ignoring my settings for S3 uploads, under
> the `Encryption` headding.
>
> Please let me know what else you need from me in order to reproduce &
> fix.
>
> Thank you

New description:

 Hi there.  It took a bit of testing to narrow this one down, but I believe
 you will be able to reproduce this issue pretty easily.

 Me:
 macOS 10.14 (18A391)
 Cyberduck 6.7.0 (28613)

 The issue:

 I have an AWS user with Administrator privlidges.
 This user can create and upload files at will via either the AWS Web UI or
 CyberDuck.
 This user is not able to create a new Cryptomator vault, using Cyberduck.

 How to reproduce:
 0. make sure the S3 > Encryption setting is set to `SS3-S3 (AES 256)` in
 CyberDuck settings
 1. create an IAM user with the Administrator policy (specified below)
 2. create a S3 bucket with the Bucket Policy (also, below)
 3. configure Cyberduck to connect to the bucket with the user key/secret
 from step 1
 4. attempt to create a folder in bucket; this should work
 5. attempt to create a new encrypted vault; this should fail.

 Here's the bucket policy i am using.  {{{MY_BUCKET_NAME}}} replaces the
 actual bucket name.

 {{{
 {
     "Version": "2012-10-17",
     "Id": "force encrypt at rest for date",
     "Statement": [
         {
             "Sid": "DenyIncorrectEncryptionHeader",
             "Effect": "Deny",
             "Principal": "*",
             "Action": "s3:PutObject",
             "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
             "Condition": {
                 "StringNotEquals": {
                     "s3:x-amz-server-side-encryption": "AES256"
                 }
             }
         },
         {
             "Sid": "DenyUnEncryptedObjectUploads",
             "Effect": "Deny",
             "Principal": "*",
             "Action": "s3:PutObject",
             "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
             "Condition": {
                 "Null": {
                     "s3:x-amz-server-side-encryption": "true"
                 }
             }
         }
     ]
 }
 }}}

 Here's the User policy I am using; this is akin to root level access

 ```
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "*",
             "Resource": "*"
         }
     ]
 }
 ```


 Here's the Log from Cyberduck when connecting to the S3 bookmark with the
 Admin account detailed above. I am browsing a few directories deep to the
 location where I would like to create the Cryptomator vault:

 ```
 GET / HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:08 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: s3.amazonaws.com
 x-amz-date: 20181007T191708Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 97ExqV0ZxTT3738rfjrj11aao9WfkncVQHeeplQ+dIjXKi0T7lEld0TMynLnmiivt0GV6ljAwwc=
 x-amz-request-id: 21444FBD145A6CEF
 Date: Sun, 07 Oct 2018 19:17:09 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET / HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:08 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: s3.amazonaws.com
 x-amz-date: 20181007T191708Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 JnA/A9g9exOhYkmcaUXZ9KvSF1KkLqw7yYTjyetrv3R/uONMSF2pC4Hx2HpCXf4N5yDOBXA1no4=
 x-amz-request-id: 3ECF6D6D85C38D47
 Date: Sun, 07 Oct 2018 19:17:09 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET / HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:08 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: s3.amazonaws.com
 x-amz-date: 20181007T191708Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 VC8tDFXQmPoePQ8mqJGd8HEg8IYT81qEJ/Wbi8yZRfM/r3yAJN1j1XKUe4wXKniFJ53YBjYX8JE=
 x-amz-request-id: EFC47358A535E5C9
 Date: Sun, 07 Oct 2018 19:17:09 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?location HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:09 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191709Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 400 Bad Request
 x-amz-request-id: 52BB6CC9CE3AC892
 x-amz-id-2:
 vYqxkFHosnfruN2rgqueimgCRGJa6kbqWujJms4SAWPlKGVLx3zSORRnU/3njjU9xOkmyjD6Wzk=
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Date: Sun, 07 Oct 2018 19:17:08 GMT
 Connection: close
 Server: AmazonS3
 GET /?location HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:09 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191709Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 cpVbjy2IVm0bBBpE6f0kBdSd5rZICREAINp4q1h6Xe0KYpRrirdiyuJanbhwCBnebAUDBdwU5ck=
 x-amz-request-id: 0D441CA5B15F5A06
 Date: Sun, 07 Oct 2018 19:17:10 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?versioning HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:39 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191739Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 NgI8pq3aIfcB8E9J/uYQB7b7s/ShEpN5vCtxqNRVxxknCtY5J/DhlgxYCiHrmLwWhXSy70TOhQ0=
 x-amz-request-id: 3E745C0AA14E068C
 Date: Sun, 07 Oct 2018 19:17:40 GMT
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?max-keys=1000&versions&prefix&delimiter=%2F HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:39 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191739Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 LDOQYBUQ6Sf0upXWEw50XjGajrxBp9P8WhnK06A3rwjYpxQjoonA9/8zBbh1wc2ARpzmJ6nAbB0=
 x-amz-request-id: 1013309AC1494B4A
 Date: Sun, 07 Oct 2018 19:17:40 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?uploads HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:39 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191739Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 25hm9HLudZxuLsQa7TYRQvudTQ7jfBpyJhdozM7elEa7Z5DSrB2A1nvGTH1DuJgc+7mV0xR3MAg=
 x-amz-request-id: 8FE7B857AF907F57
 Date: Sun, 07 Oct 2018 19:17:40 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
 HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:42 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191742Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 EqKTKvsUoGrGyMblZblrP+J1e4Hwyb4D+2ranblNBXpXXGTUTQNMvJMCKe00/P9q2Umiu6ZB3Mk=
 x-amz-request-id: DE75085D8F1512AC
 Date: Sun, 07 Oct 2018 19:17:43 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
 Date: Sun, 07 Oct 2018 19:17:42 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191742Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 Ukr6HK9nJb0XB0Axc/q0FwqvXipt1RA7d7HvR9vneairun8UTBoZI1UiUp2VFL9hDYGCIlA9meA=
 x-amz-request-id: 7DED0B45902B7187
 Date: Sun, 07 Oct 2018 19:17:43 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3

 ```

 And here's me trying to create a `test-folder`. This action susceeds.

 ```
 PUT /MY_BUCKET_PREFIX/test-folder/ HTTP/1.1
 Date: Sun, 07 Oct 2018 19:18:54 GMT
 Expect: 100-continue
 Content-Type: application/x-directory
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 x-amz-server-side-encryption: AES256
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191854Z
 Authorization: ********
 Content-Length: 0
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 r61qLybeBa7YE1IVtwaTTha5af6zK2NVhQXF/pB1fTJ47VALfz5SK5LTEID8qm7lh9Pom3usfVI=
 x-amz-request-id: B95A0EB56F13EE9C
 Date: Sun, 07 Oct 2018 19:18:55 GMT
 x-amz-server-side-encryption: AES256
 ETag: "d41d8cd98f00b204e9800998ecf8427e"
 Content-Length: 0
 Server: AmazonS3
 GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
 HTTP/1.1
 Date: Sun, 07 Oct 2018 19:18:55 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191855Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 TzzkuOrStHg1L7L/GA7z6ASRbcGTyuDnlgYm4Xn31tQIBZweIGlPNyZDnS1RfC5PZ9e6Zrzy6E4=
 x-amz-request-id: 8671AE55F534C81C
 Date: Sun, 07 Oct 2018 19:18:56 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
 Date: Sun, 07 Oct 2018 19:18:55 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191855Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 cQM2bEUrwyxpDe4/F0Br5I9iCoHVaiKt9uwTIvB6VPioIQO2O58ZRBPuhIDaDq/ScoJNkWtPn/0=
 x-amz-request-id: B9B127003293E008
 Date: Sun, 07 Oct 2018 19:18:56 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 ```

 And here's the log from trying to create a `test-vault`. I get this error
 in Cyberduck:
 ```
 Upload test-vault failed.
 Access Denied. Please contact your web hosting service provider for
 assistance.
 ```

 And here's the connection log. I clicked `try again` once before clicking
 cancel:
 ```
 PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
 Date: Sun, 07 Oct 2018 19:19:38 GMT
 Expect: 100-continue
 Content-Type: application/x-directory
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T191938Z
 Authorization: ********
 Content-Length: 0
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
 Date: Sun, 07 Oct 2018 19:20:18 GMT
 Expect: 100-continue
 Content-Type: application/x-directory
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T192018Z
 Authorization: ********
 Content-Length: 0
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
 HTTP/1.1
 Date: Sun, 07 Oct 2018 19:20:20 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T192020Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 MkFr74BriPUXzjLVe9jwyyAJ+02odaOLCiUbCGPIYrjiU89rZCZBAwJB157vp462bUVWQo4/l+M=
 x-amz-request-id: 9A3EBDB60F0255CB
 Date: Sun, 07 Oct 2018 19:20:21 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
 Date: Sun, 07 Oct 2018 19:20:20 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: MY_BUCKET_NAME.s3.amazonaws.com
 x-amz-date: 20181007T192020Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
 HTTP/1.1 200 OK
 x-amz-id-2:
 IsBWnSdi/uuzk/UNzZWM0iGLOWOv1OPSho2l9fRLb8NOzPuToba253FgK9CibO/ST0Hp3f6MFT4=
 x-amz-request-id: 76375E460D298CED
 Date: Sun, 07 Oct 2018 19:20:21 GMT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Server: AmazonS3
 ```


 There is nothing particurally useful in `console.app` even after turning
 Cyberduck debugging mode on:
 ```
 default 12:19:28.792415 -0700   Cyberduck       27366555: RECEIVED OUT-OF-
 SEQUENCE NOTIFICATION: 307 vs 532, 512, <private>
 default 12:20:09.333915 -0700   Cyberduck       27366555: RECEIVED OUT-OF-
 SEQUENCE NOTIFICATION: 309 vs 536, 512, <private>
 default 12:20:15.921380 -0700   Cyberduck       27366555: RECEIVED OUT-OF-
 SEQUENCE NOTIFICATION: 311 vs 540, 512, <private>
 default 12:20:22.104317 -0700   Cyberduck       Requesting
 sharingServicesForItems:<private> mask:6
 default 12:20:22.104550 -0700   Cyberduck
 filteredItemsFromItems:<private> [2057]--> <private>
 default 12:20:22.105861 -0700   Cyberduck       Discover <private>
 default 12:20:22.123759 -0700   Cyberduck       discovery complete: 3
 plugins
 default 12:20:22.124437 -0700   Cyberduck       Discover done
 default 12:20:22.124644 -0700   Cyberduck       Discover <private>
 default 12:20:22.144425 -0700   Cyberduck       discovery complete: 4
 plugins
 default 12:20:22.144500 -0700   Cyberduck       Discover done
 default 12:20:22.144642 -0700   Cyberduck       services: <private>
 default 12:20:22.145180 -0700   Cyberduck       Requesting
 sharingServicesForItems:<private> mask:6
 default 12:20:22.145425 -0700   Cyberduck
 filteredItemsFromItems:<private> [2057]--> <private>
 default 12:20:22.145947 -0700   Cyberduck       Discover <private>
 default 12:20:22.153916 -0700   Cyberduck       discovery complete: 3
 plugins
 default 12:20:22.154574 -0700   Cyberduck       Discover done
 default 12:20:22.154618 -0700   Cyberduck       Discover <private>
 default 12:20:22.164258 -0700   Cyberduck       discovery complete: 4
 plugins
 default 12:20:22.164372 -0700   Cyberduck       Discover done
 default 12:20:22.164552 -0700   Cyberduck       services: <private>
 default 12:20:22.164968 -0700   Cyberduck       Requesting
 sharingServicesForItems:<private> mask:6
 default 12:20:22.165115 -0700   Cyberduck
 filteredItemsFromItems:<private> [2057]--> <private>
 default 12:20:22.165515 -0700   Cyberduck       Discover <private>
 default 12:20:22.173573 -0700   Cyberduck       discovery complete: 3
 plugins
 default 12:20:22.174238 -0700   Cyberduck       Discover done
 default 12:20:22.174298 -0700   Cyberduck       Discover <private>
 default 12:20:22.184411 -0700   Cyberduck       discovery complete: 4
 plugins
 default 12:20:22.184491 -0700   Cyberduck       Discover done
 default 12:20:22.184633 -0700   Cyberduck       services: <private>
 default 12:20:22.185144 -0700   Cyberduck       Requesting
 sharingServicesForItems:<private> mask:6
 default 12:20:22.185333 -0700   Cyberduck
 filteredItemsFromItems:<private> [2057]--> <private>
 default 12:20:22.185877 -0700   Cyberduck       Discover <private>
 default 12:20:22.193870 -0700   Cyberduck       discovery complete: 3
 plugins
 default 12:20:22.194551 -0700   Cyberduck       Discover done
 default 12:20:22.194606 -0700   Cyberduck       Discover <private>
 default 12:20:22.205383 -0700   Cyberduck       discovery complete: 4
 plugins
 default 12:20:22.205486 -0700   Cyberduck       Discover done
 default 12:20:22.205676 -0700   Cyberduck       services: <private>
 ```


 As soon as i remove the bucket policy, i have no issues creating the
 vault.

 It appears that Cyberduck is ignoring my settings for S3 uploads, under
 the `Encryption` headding.

 Please let me know what else you need from me in order to reproduce & fix.

 Thank you

--

--
Ticket URL: <https://trac.cyberduck.io/ticket/10488#comment:1>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list