带有默认kms密钥的s3跨帐户访问 [英] s3 cross account access with default kms key

问题描述

我的帐户中有一个s3存储桶，该存储桶已使用默认的aws-kms键启用了SSE.我希望为我的存储桶提供对另一个帐户的读取权限.

I have an s3 bucket in my account which has SSE enabled using default aws-kms key. I wish to provide read access to another account to my bucket.

我点击了以下链接以提供访问权限: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

我正在使用aws s3 ls <s3://bucket_name>和aws s3 cp <path to s3 object> .下载对象

我尝试在未启用SSE的情况下提供对存储桶的跨帐户访问.我能够成功检索存储桶详细信息并下载对象.但是，当我尝试从启用了SSE的存储桶中下载对象时，出现An error occurred (AccessDenied) when calling the GetObject operation: Access Denied异常.我能够从启用了SSE的存储桶中列出对象，而不必下载它们.

I tried providing cross-account access to a bucket without SSE enabled. I was successfully able to retrieve bucket details and download object. However, when I try to download object from a bucket with SSE enabled I get An error occurred (AccessDenied) when calling the GetObject operation: Access Denied exception. I am able to list objects from the SSE-enabled bucket, just not download them.

我的存储桶策略:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
              "AWS": [
                    "arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
              ]
            },
            "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

该帐户中的ReadOnly角色具有对所有aws服务的读取权限.此外，我还为该角色附加了以下政策

The ReadOnly role in the account has read permissions to all aws services. In addition I attached the following policy to the role as well

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SomeProperites",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketByTags",
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:GetBucketLogging",
                "s3:ListBucketVersions",
                "s3:GetAccelerateConfiguration",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3:GetEncryptionConfiguration",
                "s3:GetObjectAcl",
                "s3:GetObjectVersionTorrent",
                "s3:GetBucketRequestPayment",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketWebsite",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetBucketNotification",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:GetObject",
                "s3:GetObjectTorrent",
                "s3:DescribeJob",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "SomePermission",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListJobs",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KMSWriteKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

我相信由于KMS解密，我无法使用getObject，因为我可以使用禁用了SSE的存储桶进行下载.我的上述政策正确吗?如果使用默认的kms密钥，是否需要提供一些其他权限?是否可以使用默认的kms密钥并提供跨帐户访问权限?

I believe I am not able to getObject due to KMS decryption since I able to download with a SSE-disabled bucket. Is my policy above correct? Do I need to provide some additional permissions if using default kms keys? Is it possible to use default kms keys and provide cross-account access?

推荐答案

要向帐户B中的用户授予对帐户A中对AWS KMS加密的存储桶的访问权限，您必须具有以下权限:

To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:

• 帐户A中的存储桶策略必须授予对帐户B的访问权限.
• 账户A中的AWS KMS密钥策略必须向账户B中的用户授予访问权限.
• 账户B中的AWS Identity and Access Management(IAM)用户策略必须授予用户对存储桶和账户A中的密钥的访问权限.

在此处查看更多信息:

https://aws. amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

这篇关于带有默认kms密钥的s3跨帐户访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！