如何使用简单的 s3 存储桶策略授予对加密存储桶的跨账户访问权限?
[英]How do I grant cross account access to an encrypted bucket with a simple s3 bucket policy?
问题描述
I have an encrypted s3 bucket
我有一个加密的 s3 存储桶
I want to give another account access to this bucket我想授予另一个帐户访问此存储桶的权限
Normally I would just do this:通常我会这样做:
{
"Sid":"get",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::99999999999:root"
},
"Action":[
"s3:Get*",
],
"Resource":[
"arn:aws:s3:::my-bucket/*",
]
},
But this bucket is encrypted and they get this error:但是这个桶是加密的,他们得到这个错误:
upload failed: ./test to s3://my-bucket/test An error occurred (KMS.NotFoundException) when calling the PutObject operation: Key 'arn:aws:kms:us-east-1:99999999999:key/blahbalbhablhalbhalbh' does not exist
Looks like they need KMS access?看起来他们需要 KMS 访问权限? I can give their account access to the kms key with the kms policy and that will fix it?我可以使用 kms 策略让他们的帐户访问 kms 密钥,这会解决问题吗? If so I need to create a custom key to edit the policy right?如果是这样,我需要创建一个自定义密钥来编辑策略吗? I want to assign their account ID access to the encrypted bucket directly我想直接将他们的帐户 ID 访问权限分配给加密的存储桶
1 个解决方案
解决方案1
1 已采纳 2020-01-11 04:25:11
You're on the right path!你走在正确的道路上! You need to create a customer managed KMS key (CMK) and update the KMS key policy to use the key for decryption.您需要创建客户管理的 KMS 密钥 (CMK) 并更新 KMS 密钥策略以使用该密钥进行解密。 Use that encryption key when you put items in the bucket.将项目放入存储桶时使用该加密密钥。 Make sure the KMS policy is least privilege!确保 KMS 策略是最小权限!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.