使用 KMS 加密密钥时无法使用 AWS Transfer for SFTP 读取或写入任何文件 [英] Unable to read or write any files using AWS Transfer for SFTP when using KMS encryption key

问题描述

我已经根据 用户指南，但我一直无法让它与 KMS 加密密钥一起使用.我的 SFTP 客户端可以很好地进行身份验证，但是当我尝试 put 文件时，文件上传但随后无法保存并显示 Couldn't close file: Failure 错误.

I've set up a server under Amazon's new AWS Transfer for SFTP managed SFTP service according the user guide, but I've been unable to get it to work with a KMS encryption key. My SFTP client can authenticate fine, but when I attempt to put a file, the file uploads but then fails to save with a Couldn't close file: Failure error.

我在关键用户列表中有与我的 SFTP 用户相关联的角色，但我怀疑逐步降低"策略(用于防止 SFTP 用户查看关联 S3 存储桶中的其他文件夹)中的某些内容正在阻止使用密钥，因为我尝试删除降压策略，然后一切正常(但随后将整个存储桶暴露给每个用户，这显然是不可接受的).

I have the role associated with my SFTP user in the list of Key Users, but I suspect something in the "step down" policy (that is used to prevent SFTP users from seeing other folders in the associated S3 bucket) is preventing the key from being used, because I tried removing the step-down policy, and then everything worked fine (but that then exposes the entire bucket to every user which is clearly unacceptable).

有什么想法我需要添加到降级策略(或密钥策略)中以允许以这种方式使用 KMS 密钥吗?

Any ideas what I need to add to the step-down policy (or the key policy) to allow the KMS key to be used in this way?

推荐答案

我们发现了两个共同导致相同错误的问题:

We found two problems that together caused this same error:

• 虽然我们在支持 S3 存储桶上启用了默认加密，但我们仍然制定了要求加密的政策.AWS 在默认加密之前应用该策略，因此即使没有 --sse:aws:kms 标志的 aws s3 cp 命令也会失败.删除该策略使 aws s3 cp 使用默认加密策略.
• 我们需要为附加到我们创建的 SFTP 用户的角色的策略添加一些 kms:XXX 权限.总之，我们的政策现在看起来像:

• Although we'd enabled default encryption on our backing S3 bucket, we still had a policy in place to require encryption. AWS applies that policy before the default encryption, so even aws s3 cp commands without the --sse:aws:kms flag would fail. Removing that policy made aws s3 cp use the default encryption policy.
• We needed to add a few kms:XXX permissions to the policy attached to the role attached to the SFTP user that we created. All together, our policy now looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:ListBucket",
            "Resource": "${bucket_arn}",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "${bucket_arn}/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey"
            ],
            "Resource": "${kms_arn}",
            "Effect": "Allow"
        }
    ]
}

将其应用于用户使 SFTP 开始按预期工作.

Applying that to the user made SFTP start working as hoped.

这篇关于使用 KMS 加密密钥时无法使用 AWS Transfer for SFTP 读取或写入任何文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！