stackoom
  简体   繁体   中英

Access Denied issue in AWS Cross Account S3 PutObject encrypted by AWS Managed Key

 原文  2020-08-01 03:19:17       python-3.x/ amazon-web-services/ amazon-s3/ aws-lambda/ amazon-iam

Question

I am trying to put a text file from Lambda which is in Account B to S3 bucket in account A. S3 bucket(test-bucket) is having AWS-KMS encryption with aws/s3 Managed Key enabled. 1. I added below permissions in Account A- S3 bucket (test-bucket): 

   ```
    {"Version": "2012-10-17",
         "Id": "ExamplePolicy",
         "Statement": [
             {
                 "Sid": "ExampleStmt",
                 "Effect": "Allow",
                 "Principal": {
                     "AWS": "arn:aws:iam::AccountB:role/Lambda-Role"
                 },
                 "Action": "s3:*",
                 "Resource": "arn:aws:s3:::test-bucket/*"
             }
         ]
        }
  1. Added below inline policy to my Lambda execution role in Account B:
     {"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": [ "arn:aws:kms:us-west-2:AccountA:key/AWS-KMS-ID" ] } ] }

This is my Lambda Code:

    res = s3.put_object(
                    Body=message,
                    Key=file_name,
                    Bucket='test-bucket',
                    ACL='bucket-owner-full-control'
                )

Getting below error while running this code from Account B Lambda:

    An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Since the S3 bucket is encrypted by AWS Managed Key so I cannot edit the KMS policy what we do in case of Customer Managed Key.

Someone please guide me what am I missing.

3 answers

solution1
 1  2020-08-01 03:24:35

Try granting your lambda function s3:PutObject action permission. So the inline policy of your lambda role should be something like

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey",
        "kms:ReEncrypt*"
      ],
      "Resource": [
        "arn:aws:kms:us-west-2:AccountA:key/AWS-KMS-ID"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::test-bucket/*"
    }
  ]
}

solution2
 1  2020-08-01 21:46:51

I've been troubleshooting this for a couple of hours myself.

I don't believe this is possible with the default "AWS Managed Key" when using SSE-KMS. Instead you have to create a CMK and grant the cross account user access to this key.

HTH

solution3
 0  2021-06-07 15:49:42

Cross account access cannot be granted for AWS Managed Key. Need to use customer managed key or default encryption.

This can be useful- https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-default-encryption/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS : Python Script to Retrieve list of S3 bucket having Cross account access using boto3 S3 authentication via EC2 without passing AWS Access Key & Secret key in code or storage Silent Failure of S3 PutObject? Load/access/mount directory to aws sagemaker from S3 Copy from S3 bucket in one account to S3 bucket in another account using Boto3 in AWS Lambda How to perform cross account (using role arn's)in aws using python? Writing json to AWS S3 from AWS Lambda Send cross AWS account message from Lambda to SQS How To Re-encode AWS Lambda Event Encoding of S3 Key in Python 3? Using Python Boto3 AWS Lambda, S3 Key LastModified returns in two types for two different ways
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM