带有默认kms密钥的s3跨帐户访问 [英] s3 cross account access with default kms key
问题描述
我的帐户中有一个s3存储桶,该存储桶已使用默认的aws-kms
键启用了SSE.我希望为我的存储桶提供对另一个帐户的读取权限.
I have an s3 bucket in my account which has SSE enabled using default aws-kms
key. I wish to provide read access to another account to my bucket.
我点击了以下链接以提供访问权限: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
我正在使用aws s3 ls <s3://bucket_name>
和aws s3 cp <path to s3 object> .
下载对象
我尝试在未启用SSE的情况下提供对存储桶的跨帐户访问.我能够成功检索存储桶详细信息并下载对象.但是,当我尝试从启用了SSE的存储桶中下载对象时,出现An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
异常.我能够从启用了SSE的存储桶中列出对象,而不必下载它们.
I tried providing cross-account access to a bucket without SSE enabled. I was successfully able to retrieve bucket details and download object. However, when I try to download object from a bucket with SSE enabled I get An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
exception. I am able to list objects from the SSE-enabled bucket, just not download them.
我的存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
该帐户中的ReadOnly角色具有对所有aws服务的读取权限.此外,我还为该角色附加了以下政策
The ReadOnly role in the account has read permissions to all aws services. In addition I attached the following policy to the role as well
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
我相信由于KMS解密,我无法使用getObject,因为我可以使用禁用了SSE的存储桶进行下载.我的上述政策正确吗?如果使用默认的kms密钥,是否需要提供一些其他权限?是否可以使用默认的kms密钥并提供跨帐户访问权限?
I believe I am not able to getObject due to KMS decryption since I able to download with a SSE-disabled bucket. Is my policy above correct? Do I need to provide some additional permissions if using default kms keys? Is it possible to use default kms keys and provide cross-account access?
推荐答案
要向帐户B中的用户授予对帐户A中对AWS KMS加密的存储桶的访问权限,您必须具有以下权限:
To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:
- 帐户A中的存储桶策略必须授予对帐户B的访问权限.
- 账户A中的AWS KMS密钥策略必须向账户B中的用户授予访问权限.
- 账户B中的AWS Identity and Access Management(IAM)用户策略必须授予用户对存储桶和账户A中的密钥的访问权限.
在此处查看更多信息:
https://aws. amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
这篇关于带有默认kms密钥的s3跨帐户访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!