S3 复制:拒绝访问:Amazon S3 无法检测是否在目标存储桶上启用了版本控制
[英]S3 replication: Access denied: Amazon S3 can't detect whether versioning is enabled on the destination bucket
问题描述
I'm configuring a replication between two s3 buckets.
我正在配置两个 s3 存储桶之间的复制。 but I get the error但我得到了错误
Access denied: Amazon S3 can't detect whether versioning is enabled on the destination bucket.
The destination bucket is in another account, different region.目标存储桶在另一个账户中,不同区域。 Here is the bucket policy in the destination bucket:这是目标存储桶中的存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::destination",
"arn:aws:s3:::destination/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAS3AHCETXXDF5Z5GVG:*",
"AROAS3AHCETXX2DMH4JPY:*",
"AROAS3AHCEXXX4SNCNTNV:*",
"AROAVJZZXXXXXZBBR7PN6L:*"
]
}
}
},
{
"Sid": "S3ReplicationPolicyStmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
},
"Action": [
"s3:GetBucketVersioning",
"s3:GetObjectVersionForReplication",
"s3:PutBucketVersioning",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:PutObjectAcl",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": [
"arn:aws:s3:::destination",
"arn:aws:s3:::destination/*"
]
}
]
}
My buckets are highly confidential, so I first deny all access except for some roles: So in the condition, I have the replication role ID excluded too.我的存储桶是高度机密的,因此我首先拒绝除某些角色之外的所有访问权限:因此,在这种情况下,我也排除了复制角色 ID。
Why the replication role is still not allowed to replicate?为什么复制角色仍然不允许复制? What is wrong with this bucket policy ?这个存储桶策略有什么问题? In the above policy I actually authorize the replication role twice.在上面的策略中,我实际上授权了复制角色两次。 in both statements.在这两个声明中。
Here is the replication IAM role policy:这是复制 IAM 角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source",
"arn:aws:s3:::source/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetBucketVersioning",
"s3:GetObjectVersionTagging",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::destination/*"
}
]
}
I tried deleting the explicite deny statement and test the replication, the source bucket gets the Versioning and I had no access denied, but objects are not replicated.我尝试删除显式拒绝语句并测试复制,源存储桶获取版本控制并且我没有拒绝访问,但未复制对象。
2 个解决方案
解决方案1
0 2019-12-13 10:15:48
For my experience, AWS S3 policies follow a white-list approach, meaning that you first need to add statements for the actions you want to allow, and then a final statement to deny everything else.根据我的经验,AWS S3 策略遵循白名单方法,这意味着您首先需要为要允许的操作添加语句,然后是拒绝所有其他操作的最终语句。
So in your case, try to just switch the statements.所以在你的情况下,试着只切换语句。
解决方案2
0 已采纳 2019-12-16 14:23:45
The solution was to white list the replication role in the source bucket as well.解决方案是将源存储桶中的复制角色也列入白名单。 Both buckets have similar policy so It was necessary to allow the replication role to access the source.两个存储桶具有相似的策略,因此有必要允许复制角色访问源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.