Are*_*oro 5 amazon-s3 amazon-web-services amazon-iam amazon-kms amazon-macie
我们刚刚开始使用 Amazon Macie,在创建存储桶以将结果保留超过 90 天时遇到问题。
我们得到的错误是:
putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both.
我们使用 AWS SSO 连接到控制台,当我查看 IAM 策略配置时,我的用户拥有资源和操作的管理员权限。
S3存储桶策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-west-1:accountid:key/keynumber"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::macie-investigations"
}
]
}
这是我们创建的对称密钥的策略:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
kms 密钥允许我的角色和 macie 的角色作为管理员配置以及使用配置,如下所示:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountid:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
我们尝试使用特定的 macie2:PutClassificationExportConfiguration 创建 IAM 用户,但没有成功。
创建一个新的存储桶,无论是公共的还是私有的,也无济于事。我们还尝试在存储桶策略中显式添加管理员用户,并在策略中授予 macie 服务的所有权限,但也无济于事。我们总是遇到同样的错误。存储桶与密钥位于同一区域和帐户。
来自不同账户的唯一内容是 AWS SSO 托管角色,这些角色适用于组织内的主账户。
有谁知道我们显然没有意识到在哪里寻找缺失的链接在哪里?
非常感谢你的帮助!
在 KMS 中创建的密钥在策略中缺少以下内容:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
| 归档时间: |
|
| 查看次数: |
2106 次 |
| 最近记录: |