除非已检查AES256加密,否则拒绝S3中的CreateBucket [英] Deny CreateBucket in S3 unless AES256 Encryption Checked
问题描述
我已经努力了一天的大部分时间.作为管理员,我试图要求用户在创建S3存储桶时选中将对象存储在S3中时自动加密"按钮(AES256).我已经尝试了所有可以想到的东西.到目前为止,我只得到了2个单独的结果.
I have been trying for the better part of a day. I am, as an administrator, attempting to require users to check the "Automatically encrypt objects when they are stored in S3" button (AES256) when creating their S3 buckets. I've tried about everything can think of. So far, I have only gotten 2 separate results.
作为测试用户,我被允许创建存储桶(带有或不带有检查加密),或者被拒绝(带有或不带有选中加密).
As a test user, I am either allowed to create buckets (with or without checking encryption), or I am denied (with or without checking encryption).
最后的努力导致将以下策略应用于测试用户,在这种情况下,无论是否选中加密框,我都无法创建存储桶
The last effort has resulted in the following policy being applied to the test user, in which case I am denied creating a bucket whether or not I check the encryption box
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-content-sha256": "AES256"
},
"Null": {
"s3:x-amz-content-sha256": true
}
}
]
}
我已将上述策略与S3AllowFullAccess结合在一起,并使用其他允许访问的自定义策略,但我根本无法使其正常工作.
I have combined the above policy with S3AllowFullAccess, with other custom policies allowing access, but I simply cannot get it to work.
感谢您的帮助
推荐答案
CreateBucket()命令不接受存储桶加密设置.
The CreateBucket() command does not accept a bucket encryption setting.
例如,从AWS CLI创建存储桶时,选项为:
For example, when creating a bucket from the AWS CLI, the options are:
aws s3api create-bucket
[--acl <value>]
--bucket <value>
[--create-bucket-configuration <value>]
[--grant-full-control <value>]
[--grant-read <value>]
[--grant-read-acp <value>]
[--grant-write <value>]
[--grant-write-acp <value>]
[--object-lock-enabled-for-bucket | --no-object-lock-enabled-for-bucket]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
不可能指定存储桶加密.
相反,使用put-bucket-encryption命令指定存储桶加密:
Instead, bucket encryption is specified with the put-bucket-encryption command:
aws s3api put-bucket-encryption
--bucket <value>
[--content-md5 <value>]
--server-side-encryption-configuration <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
这意味着不可能在CreateBucket()上创建强制服务器端加密值的策略.创建存储桶后,需要在 设置它.
This means that it is not possible to create a policy on CreateBucket() that forces a server-side encryption value. It needs to be set after the bucket is created.
您可以创建在CreateBucket()上激活并触发AWS Lambda函数的Amazon CloudWatch事件规则.然后,您可以对该函数进行编码,以在存储桶上调用PutBucketEncryption().
You could create an Amazon CloudWatch Events Rule that activates on CreateBucket(), and triggers an AWS Lambda function. You could then code the function to call PutBucketEncryption() on the bucket.
更新:您可以使用一种要求对对象本身进行加密的策略,而不是在存储桶级别设置加密.
Update: Rather than setting encryption at the bucket level, you could use a policy that requires objects themselves to be encrypted.
这是示例服务控制策略需要每个人仅上传加密对象的AWS组织中的电子邮件:
Here is an Example Service Control Policies from AWS Organizations that requires everybody only upload objects with encryption:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": true
}
}
}
]
}
这篇关于除非已检查AES256加密,否则拒绝S3中的CreateBucket的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
