lea*_*hru 7 amazon-s3 amazon-web-services amazon-iam
我的帐户中有一个 s3 存储桶,它使用默认aws-kms密钥启用了 SSE。我希望向我的存储桶提供另一个帐户的读取权限。
我已按照以下链接提供访问权限: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
我正在使用aws s3 ls <s3://bucket_name>并aws s3 cp <path to s3 object> . 下载该对象
我尝试在未启用 SSE 的情况下提供对存储桶的跨账户访问。我成功地检索了存储桶详细信息并下载了对象。但是,当我尝试从启用了 SSE 的存储桶下载对象时,出现An error occurred (AccessDenied) when calling the GetObject operation: Access Denied异常。我可以列出启用 SSE 的存储桶中的对象,但不能下载它们。
我的存储桶政策:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
账户中的 ReadOnly 角色拥有所有 aws 服务的读取权限。此外,我还为该角色附加了以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
我相信由于 KMS 解密,我无法获取对象,因为我可以使用禁用 SSE 的存储桶进行下载。我的上述政策正确吗?如果使用默认 kms 密钥,我是否需要提供一些额外的权限?是否可以使用默认的 kms 密钥并提供跨帐户访问?
小智 9
-> 使用默认 aws-kms 密钥启用 SSE
这是 AWS Managed KMS 密钥,您只能查看其密钥策略。您无法编辑其密钥策略。因此,您将无法使用 SSE-KMS AWS 托管密钥进行跨账户 s3 对象共享。
请切换到使用SSE-KMS Customer Managed Key并通过所选 KMS CMK 中的操作授予跨账户主体descrypt。
Jor*_*cia -1
要向账户 B 中的用户授予对账户 A 中 AWS KMS 加密存储桶的访问权限,您必须拥有以下权限:
请在此处查看更多信息:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
| 归档时间: |
|
| 查看次数: |
9888 次 |
| 最近记录: |