KMS加密后无法从S3下载文件

时间:2019-01-21 19:01:37

标签: amazon-web-services amazon-s3 terraform aws-cli aws-kms

使用terraform,我能够创建启用KMS加密的S3存储桶。但是,当我尝试从启用了S3 KMS的存储桶下载任何文件时,却无法下载Access Denied

错误日志:-

download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

main.tf 

resource "aws_s3_bucket" "s3_bucket_two" {
  bucket = "dev-analytics-data"
#  bucket = "services-${lookup(var.aws_account_id, terraform.workspace)}-cicd-storage"
  acl    = "${var.acl}"
  versioning {
    enabled = "${var.enable_versioning}"
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${data.terraform_remote_state.kms_s3.key_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

使用的IAM策略:-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345678910:role/iam_role_devops_engineer",
                    "arn:aws:iam:: 12345678910:role/EMR_AutoScaling_DefaultRole",
                    "arn:aws:iam:: 12345678910:role/EMR_DefaultRole",
                    "arn:aws:iam:: 12345678910:user/iam_user_cng_jenkins",
                    "arn:aws:iam:: 12345678910:role/iam_role_sftp",
                    "arn:aws:iam:: 12345678910:role/iam_role_jenkins_user",
                    "arn:aws:iam:: 12345678910:role/EMR_EC2_DefaultRole"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::services-12345678910-cicd-storage",
                "arn:aws:s3:::services-12345678910-cicd-storage/*"
            ]
        }
    ]
}

我也尝试通过aws cli上传,但仍然失败。

aws s3 cp --sse aws:kms --sse-kms-key-id arn:aws:kms:eu-central-1:1234567890:key/123asdps-as34-as23-asas-aslkui98393 spark-sql-kinesis_2.11-2.3.1.jar s3://services-1234567890-cicd-storage/tesie_jars/

2 个答案:

答案 0 :(得分:5)

您需要在IAM策略中授予对KMS密钥的访问权限。

我不是100%地确定您需要的权限,而是从这些权限开始(我碰巧知道此设置有效,因为我是从有效的策略中复制它的,但是它可能包含不需要的权限): 

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:GetKeyPolicy",
        "kms:ListGrants",
        "kms:ListKeyPolicies",
        "kms:ListRetirableGrants",
        "kms:ReEncryptFrom",
        "kms:ReEncryptTo"
    ],
    "Resource": "arn:aws:kms:REDACTED:REDACTED:key/REDACTED"
},
{
    "Effect": "Allow",
    "Action": [
        "kms:GenerateRandom",
        "kms:ListAliases",
        "kms:ListKeys"
    ],
    "Resource": "*"
}

答案 1 :(得分:0)

您提到在加密后无法检索对象;您可以在没有加密的相同存储桶中检索对象吗?我问是因为加密不是访问控制。这是读取控制。访问控制列表(ACL)是访问控制。

相关问题
最新问题