stackoom
  简体   繁体   中英

How can AWS CloudFormation Lambda resource access code file in S3 if it is KMS encrypted?

 原文  2018-01-04 14:55:06       amazon-web-services/ encryption/ amazon-s3/ lambda

Question

My Lambda function deployment via CloudFormation works OK when the Lambda's code file in S3 bucket is not encrypted, but fails when I use KMS encrypted code file.

I have AWS CloudFormation stack that contains Lambda resources. My Python code ZIP file is in an S3 bucket. The Lambda resources in my CFN template contain "Code" property that points to S3Bucket and S3Key where zip is located. The bucket policy allows my role the actions s3:GetObject , s3:PutObject , s3:ListBucket . The stack build works fine when code ZIP file is unencrypted. But when I use a KMS encrypted zip file in bucket, I get the error:

"Your access has been denied by S3, please make sure your request credentials have permission to GetObject for my-bucket/my-folder/sample.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied"

Do I need to enhance my S3 bucket policy to support accessing KMS encrypted files? How is that done? (The error message seems misleading, since my bucket policy already does allow my role GetObject access.) Thanks.

1 answers

solution1
 1  2018-01-04 22:17:05

Since you are almost certain that the request is failing for encrypted objects, you have to give the "role" you are referring permission to use the KMS CMK and it must be done via the KMS key policy (and/or IAM policy).

If you are using a customer managed CMK, then you can refer here and add the IAM role as the Key User. If you are using AWS managed CMK (identifiable by the AWS icon), you can add permission policy to the IAM role as following:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:*"
    ],
    "Resource": [
      "arn:aws:kms:*:account_id:key/key_id"
    ]
  }
}

Note:

  1. Above policy allows all KMS API for the specific key but you can tweak it to give minimum required permission.

  2. For customer managed CMKs, it is also possible to manage the permission to KMS CMK via the IAM policy (along with key policy), since we don't know the key policy, I just included the option to manage via the key policy itself.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Extract a KMS-encrypted ZIP file from AWS S3 How can a Cloudfront distribution an AWS KMS key to GET an S3 image encrypted at rest? Read a KMS encrypted file from S3 how to download an kms encrypted s3 object How to create a managed policy in cloudformation that allows lambda access to all s3 containers in an aws environment AWS Cloudformation | How to Configure Lambda to Use Latest Code in S3 Bucket How to make sure your files are encrypted when using AWS S3 KMS encryption? AWS Cloudformation Lambda S3 - Circular Dependency Python - Decrypt S3 image file, encrypted with CSE KMS CloudFormation Lambda S3 bucket access denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM