nmh*_*nmh 5 encryption amazon-s3 amazon-web-services
我对我创建的 S3 存储桶具有读/写/管理员权限。我可以在那里创建对象并按预期删除它们。存储桶上存在从另一个 AWS 账户传输到那里的其他文件夹。我无法从这些文件夹下载任何项目。当我单击文件时,会显示“服务器端加密访问被拒绝”的信息。当我尝试删除此加密时,它失败并显示以下消息:
Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 93A26842904FFB2D; S3 Extended Request ID: OGQfxPPcd6OonP/CrCqfCIRQlMmsc8DwmeA4tygTGuEq18RbIx/psLiOfEdZHWbItpsI+M1yksQ=)
我对问题是什么感到困惑。我是存储桶的根用户/所有者,虽然我可以更改此材料的权限/加密?
谢谢
您必须确保您仍然是 S3 存储桶中文件的所有者,而不是上传到它的其他 AWS 账户。
S3 存储桶策略示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowNewDataToBeUploaded",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*"
},{
"Sid": "ensureThatWeHaveOwnershipOfAllDataUploaded",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
外部帐户还必须x-amz-acl在其请求中使用标头:
ObjectMetadata metaData = new ObjectMetadata();
metaData.setContentLength(byteArrayLength);
metaData.setHeader("x-amz-acl", "bucket-owner-full-control");
s3Client.putObject(new PutObjectRequest(bucketNameAndFolder, fileKey, fileContentAsInputStream, metaData));
补充阅读:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTacl.html
这是一个有趣的问题。当解密文件所需的 KMS 密钥不可用/不可访问时,我以前见过这种情况。您可以尝试将 KMS 密钥从旧帐户移至新帐户,或从旧帐户访问该密钥。
| 归档时间: |
|
| 查看次数: |
9604 次 |
| 最近记录: |