KMS 和 S3 存储桶

Question

\n

1. 我有一个桶，里面有文件

   \n
\n

2. 我已通过存储桶策略向 test-user1（在 IAM 中具有 AdministratorAccess 策略）授予完全访问权限

   \n
\n

\n

    "Version": "2012-10-17",\n    "Id": "Policy1595762326470",\n    "Statement": [\n        {\n            "Sid": "Stmt1595762736524",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxx:user/test-user1"\n            },\n            "Action": [\n                "s3:*"\n            ],\n            "Resource": "arn:aws:s3:::test-user1-bucket"\n        }\n    ]\n}\n

\n

\n

3. 存储桶对该存储桶使用 AWS-KMS（CMK 加密），并且 test-user1 不在该 \xd1\x81ustomer 托管密钥的关键用户列表中

   \n
\n

4. 主要政策如下：

   \n
\n

\n

{\n    "Id": "key-consolepolicy-3",\n    "Version": "2012-10-17",\n    "Statement": [\n        {\n            "Sid": "Enable IAM User Permissions",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxx:root"\n            },\n            "Action": "kms:*",\n            "Resource": "*"\n        },\n        {\n            "Sid": "Allow access for Key Administrators",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"\n            },\n            "Action": [\n                "kms:Create*",\n                "kms:Describe*",\n                "kms:Enable*",\n                "kms:List*",\n                "kms:Put*",\n                "kms:Update*",\n                "kms:Revoke*",\n                "kms:Disable*",\n                "kms:Get*",\n                "kms:Delete*",\n                "kms:TagResource",\n                "kms:UntagResource",\n                "kms:ScheduleKeyDeletion",\n                "kms:CancelKeyDeletion"\n            ],\n            "Resource": "*"\n        },\n        {\n            "Sid": "Allow use of the key",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"\n            },\n            "Action": [\n                "kms:Encrypt",\n                "kms:Decrypt",\n                "kms:ReEncrypt*",\n                "kms:GenerateDataKey*",\n                "kms:DescribeKey"\n            ],\n            "Resource": "*"\n        },\n        {\n            "Sid": "Allow attachment of persistent resources",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"\n            },\n            "Action": [\n                "kms:CreateGrant",\n                "kms:ListGrants",\n                "kms:RevokeGrant"\n            ],\n            "Resource": "*",\n            "Condition": {\n                "Bool": {\n                    "kms:GrantIsForAWSResource": "true"\n                }\n            }\n        }\n    ]\n}\n

\n

test-user1 可以从存储桶中下载并读取文件吗？\n如果可以，为什么他可以？

\n

Answer 1

当您指示 S3 使用 KMS 加密静态对象时，S3 将在存储对象时自动使用 S3 加密该对象，并在访问该对象时解密该对象。如果 KMS CMK 的资源策略允许账户中的所有 IAM 用户使用密钥，则任何有权访问 S3 存储桶的 IAM 用户都可以从 S3 下载对象，并且他们收到的内容将是未加密的。如果您锁定对 CMK 的访问权限，则只有有权使用 CMK 进行解密的用户（除了访问 S3 存储桶的权限之外）才能从 S3 下载对象。如果用户无权访问用于加密对象的 KMS 密钥，那么他们实际上会收到访问被拒绝错误，而不是像您预期的那样从 S3 接收加密对象。

您最初假设用户能够从 S3 下载对象，但他们会收到对象的加密版本，这是不正确的，因为解密发生在 S3 内的服务器端。如果您希望用户能够从 S3 下载文件的加密版本，那么您必须在上传到 S3 之前自行加密文件。