将文件上传到KMS加密的S3存储桶

时间:2020-10-15 05:06:26

标签: amazon-s3 aws-lambda boto3 aws-kms

如果标头与策略中指定的字符串不匹配,则Buckey策略具有“拒绝操作”。我正在尝试此代码,但由于上传到S3时访问被拒绝而收到错误消息。还尝试过包括SSEKMSKeyId。

import boto3
s3_client = boto3.client('s3', config=Config(signature_version='s3v4'))

s3_client.put_object(Body=open(Source, 'rb'),
                             Bucket=Bucket,
                             Key=Sink,
                             ServerSideEncryption='aws:kms',
                             Metadata={'x-amz-server-side-encryption-aws-kms-key-id':'9999999999999'})


Bucket Policy 

"Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:putObject",
            "Resource": "bucket-name/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-#:########:key/9999999999999"
                }

0 个答案:

没有答案
相关问题
最新问题