我对我创建的S3存储桶有读/写/管理员权限。我可以在那里创建对象并按预期删除它们。 存储桶中存在从另一个AWS账户传输的其他文件夹。我无法从这些文件夹中下载任何项目。 当我点击文件时,有信息说明"服务器端加密访问被拒绝"。当我尝试删除此加密时,它失败并显示以下消息:
Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 93A26842904FFB2D; S3 Extended Request ID: OGQfxPPcd6OonP/CrCqfCIRQlMmsc8DwmeA4tygTGuEq18RbIx/psLiOfEdZHWbItpsI+M1yksQ=)
我对这个问题感到困惑。我是该存储桶的root用户/所有者,虽然我可以更改此资料的权限/加密?
由于
答案 0 :(得分:2)
这是一个有趣的问题。在解密文件所需的KMS密钥不可用/可访问之前,我已经看过这个。您可以尝试将KMS密钥从旧帐户移动到新帐户,或者可以从旧帐户访问密钥。
答案 1 :(得分:0)
您必须确保您仍然是S3存储桶中文件的所有者,而不是其他上传到该存储桶中的AWS账户。
S3存储桶策略示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowNewDataToBeUploaded",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*"
},{
"Sid": "ensureThatWeHaveOwnershipOfAllDataUploaded",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
外部帐户还必须在其请求中使用x-amz-acl标头:
ObjectMetadata metaData = new ObjectMetadata();
metaData.setContentLength(byteArrayLength);
metaData.setHeader("x-amz-acl", "bucket-owner-full-control");
s3Client.putObject(new PutObjectRequest(bucketNameAndFolder, fileKey, fileContentAsInputStream, metaData));
其他阅读内容:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
AWS S3 Server side encryption Access denied error
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTacl.html