使用默认kms密钥进行s3跨帐户访问
我的账户中有一个s3存储桶,它使用默认的aws-kms密钥启用了SSE。我希望为我的存储桶提供对另一个帐户的读取访问权限。
我已经通过以下链接提供了访问:https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
我正在使用aws s3 ls <s3://bucket_name>和aws s3 cp <path to s3 object> .下载对象
我尝试在没有启用SSE的情况下提供对存储桶的跨账号访问。我成功地检索到了存储桶详细信息并下载了对象。但是,当我尝试从启用了SSE存储桶中下载对象时,我得到了An error occurred (AccessDenied) when calling the GetObject operation: Access Denied异常。我可以列出启用SSE的存储桶中的对象,但不能下载它们。
我的存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}帐户中的ReadOnly角色对所有亚马逊网络服务具有读取权限。此外,我还将以下策略附加到该角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}我相信由于KMS解密,我无法进行getObject,因为我可以使用禁用SSE的存储桶下载。我上面的政策正确吗?如果使用默认的kms密钥,是否需要提供一些额外的权限?是否可以使用默认kms密钥并提供跨账号访问?
回答 2
Stack Overflow用户
发布于 2022-02-28 09:27:14
使用默认-> -kms密钥启用了aws SSE
这是AWS托管KMS密钥,您只能查看其密钥策略。您不能对其密钥策略进行编辑。因此,您将无法使用SSE-KMS AWS管理密钥进行跨帐户s3对象共享。
请切换使用SSE-KMS Customer Managed Key,并在所选KMS主密钥中向跨账号主体授予descrypt操作。
Stack Overflow用户
发布于 2019-11-26 13:26:42
要向帐户B中的用户授予对帐户A中的AWS KMS加密桶的访问权限,您必须具备以下权限:
- 帐户A中的存储桶策略必须向帐户B授予访问权限。
- 帐户A中的AWS KMS密钥策略必须向帐户B中的用户授予访问权限。
- 帐户B中的AWS身份和访问管理用户策略必须向用户授予对帐户A中的存储桶和密钥的访问权限。
请在此处查看更多信息:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
https://stackoverflow.com/questions/59043525
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号