使用默认 kms 密钥的 s3 跨帐户访问
[英]s3 cross account access with default kms key
问题描述
I have an s3 bucket in my account which has SSE enabled using default aws-kms key.
我的帐户中有一个 s3 存储桶,它使用默认aws-kms密钥启用了 SSE。 I wish to provide read access to another account to my bucket.我希望为我的存储桶提供对另一个帐户的读取访问权限。
I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/我已通过以下链接提供访问权限: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
I am using aws s3 ls <s3://bucket_name> and aws s3 cp <path to s3 object>.我正在使用aws s3 ls <s3://bucket_name>和aws s3 cp <path to s3 object>. to download the object下载object
I tried providing cross-account access to a bucket without SSE enabled.我尝试在未启用 SSE 的情况下提供对存储桶的跨账户访问。 I was successfully able to retrieve bucket details and download object. However, when I try to download object from a bucket with SSE enabled I get An error occurred (AccessDenied) when calling the GetObject operation: Access Denied exception.我成功地检索了存储桶详细信息并下载了 object。但是,当我尝试从启用了 SSE 的存储桶下载 object 时,我收到An error occurred (AccessDenied) when calling the GetObject operation: Access Denied异常。 I am able to list objects from the SSE-enabled bucket, just not download them.我能够列出支持 SSE 的存储桶中的对象,只是不能下载它们。
My bucket policy:我的存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
The ReadOnly role in the account has read permissions to all aws services.帐户中的 ReadOnly 角色对所有 aws 服务具有读取权限。 In addition I attached the following policy to the role as well此外,我还为该角色附加了以下政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
I believe I am not able to getObject due to KMS decryption since I able to download with a SSE-disabled bucket.我相信由于 KMS 解密,我无法获取对象,因为我可以使用禁用 SSE 的存储桶进行下载。 Is my policy above correct?我的政策是否正确? Do I need to provide some additional permissions if using default kms keys?如果使用默认的 kms 密钥,我是否需要提供一些额外的权限? Is it possible to use default kms keys and provide cross-account access?是否可以使用默认的 kms 密钥并提供跨帐户访问?
2 个解决方案
解决方案1
4 2022-02-28 09:27:13
-> SSE enabled using default aws-kms key -> 使用默认的 aws-kms 密钥启用 SSE
This is the AWS Managed KMS key, you can only view the key policy of it.这是 AWS Managed KMS 密钥,您只能查看它的密钥策略。 You cannot edit the key policy of it.您不能编辑它的密钥策略。 So you will not be able to do cross account s3 object sharing with SSE-KMS AWS managed key.因此,您将无法使用 SSE-KMS AWS 托管密钥进行跨账户 s3 object 共享。
Please switch to use SSE-KMS Customer Managed Key and grant the cross-account prinicipal with the descrypt action in the selected KMS CMK.请切换为使用SSE-KMS Customer Managed Key ,并在选定的 KMS CMK 中向跨账户委托人授予descrypt操作。
解决方案2
1 2019-11-26 05:26:41
To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:要向账户 B 中的用户授予对账户 A 中 AWS KMS 加密存储桶的访问权限,您必须拥有以下权限:
- The bucket policy in Account A must grant access to Account B.账户 A 中的存储桶策略必须授予对账户 B 的访问权限。
- The AWS KMS key policy in Account A must grant access to the user in Account B.账户 A 中的 AWS KMS 密钥策略必须向账户 B 中的用户授予访问权限。
- The AWS Identity and Access Management (IAM) user policy in Account B must grant the user access to both the bucket and the key in Account A.账户 B 中的 AWS Identity and Access Management (IAM) 用户策略必须授予用户对账户 A 中存储桶和密钥的访问权限。
See more information here:在此处查看更多信息:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/ https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.