我正在尝试将加密对象的复制设置为不同区域中的S3存储桶。执行此操作时,我需要指定一个或多个用于解密源对象的KMS密钥。
我正在使用以下Terraform脚本:
replication_configuration {
role = "${aws_iam_role.replication.arn}"
rules {
id = "${var.service}"
prefix = "${var.replication_bucket_prefix}"
status = "Enabled"
destination {
bucket = "${aws_s3_bucket.replication_bucket.arn}"
storage_class = "STANDARD"
replica_kms_key_id = "xxxxx"
}
source_selection_criteria {
sse_kms_encrypted_objects {
enabled = true
}
}
}
}
此脚本有效(适用),但在AWS控制台中检查时,没有为源对象选择KMS密钥。
查看配置,我无法在任何地方看到指定这些密钥。 replica_kms_key_id用于指定用于加密目标存储桶中对象的KMS密钥。
答案 0 :(得分:0)
当尝试实施KMS加密的跨区域,使用Terraform进行跨帐户复制时,我遇到了相同的问题。
有时,我注意到配置中缺少源KMS密钥(就像您所做的那样),并通过S3 Web界面添加了它。完成此操作后,AWS创建了另一个策略(crr-$SOURCE_BUCKET_NAME-to-$TARGET_BUCKET_NAME)(该策略未在任何地方提及;我在一天后做其他事情时发现了它),并将其附加到复制角色。在检查了该规则之后,我意识到这是难题的缺失部分。
这是政策的重要组成部分:
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${var.source_bucket_region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::${var.source_bucket_name}/*"
]
}
},
"Resource": [
"${var.source_kms_key_arn}"
]
},
${var.source_kms_key_arn}是您的KMS密钥源。
PS:这个问题使我发疯! (╯°□°)╯︵┻━┻
答案 1 :(得分:0)
在控制台中设置复制时,它将创建一个新策略并将其附加到您的复制角色。如果您使用Terraform创建此策略,它将反映在控制台中,复制将起作用。
以下代码假定您正在以terraform形式创建所有存储桶和键,并且资源名称分别为aws_s3_bucket.source和aws_s3_bucket.replica,而键资源分别为aws_kms_key.source和aws_kms_key.replica
绝对应该在Terraform站点上的s3存储桶资源文档中对此进行描述,因为没有它将无法正常工作,但事实并非如此。
resource "aws_iam_policy" "replication" {
name = "tf-iam-role-policy-replication-12345"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.source.arn}",
"${aws_s3_bucket.source.arn}/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.replica.arn}/*"
]
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${aws_s3_bucket.source.region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.source.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.source.arn}"
]
},
{
"Action":[
"kms:Encrypt"
],
"Effect":"Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${aws_s3_bucket.replica.region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.replica.arn}/*"
]
}
},
"Resource":[
"${aws_kms_key.replica.arn}"
]
}
]
}
POLICY
}
更多详细信息可以在terraform-provider-aws回购的issue #6046中找到
答案 2 :(得分:0)
遇到同样的问题。我从Matt和malte的早期评论中开始阅读政策文件,但只能通过以下方式使用它:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.source.arn}",
"${aws_s3_bucket.source.arn}/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Condition": {
"StringLikeIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
],
"s3:x-amz-server-side-encryption-aws-kms-key-id": [
"${aws_kms_key.replica.arn}"
]
}
},
"Resource": [
"${aws_s3_bucket.replica.arn}/*"
]
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${aws_s3_bucket.source.region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.source.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.source.arn}"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${aws_s3_bucket.replica.region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.replica.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.replica.arn}"
]
}
]
}
请注意可能来自CRR策略的V3的更改(从控制台中选择时,AWS会创建s3crr_kms_v3 _ *):
"Condition": {
"StringLikeIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
],
"s3:x-amz-server-side-encryption-aws-kms-key-id": [
"${aws_kms_key.replica.arn}"
]
}
}
有关带有KMS的S3 CRR的Terraform文档仍然非常有限。