Amazon web services KMS加密后无法从S3下载文件
使用terraform,我能够创建启用KMS加密的S3存储桶。但当我尝试从启用S3 KMS的存储桶下载任何文件时,它无法下载,并说Amazon web services KMS加密后无法从S3下载文件,amazon-web-services,amazon-s3,terraform,aws-cli,aws-kms,Amazon Web Services,Amazon S3,Terraform,Aws Cli,Aws Kms,使用terraform,我能够创建启用KMS加密的S3存储桶。但当我尝试从启用S3 KMS的存储桶下载任何文件时,它无法下载,并说访问被拒绝 错误日志:- download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation
访问被拒绝
错误日志:-
download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
main.tf
resource "aws_s3_bucket" "s3_bucket_two" {
bucket = "dev-analytics-data"
# bucket = "services-${lookup(var.aws_account_id, terraform.workspace)}-cicd-storage"
acl = "${var.acl}"
versioning {
enabled = "${var.enable_versioning}"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${data.terraform_remote_state.kms_s3.key_arn}"
sse_algorithm = "aws:kms"
}
}
}
}
使用的IAM策略:-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345678910:role/iam_role_devops_engineer",
"arn:aws:iam:: 12345678910:role/EMR_AutoScaling_DefaultRole",
"arn:aws:iam:: 12345678910:role/EMR_DefaultRole",
"arn:aws:iam:: 12345678910:user/iam_user_cng_jenkins",
"arn:aws:iam:: 12345678910:role/iam_role_sftp",
"arn:aws:iam:: 12345678910:role/iam_role_jenkins_user",
"arn:aws:iam:: 12345678910:role/EMR_EC2_DefaultRole"
]
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::services-12345678910-cicd-storage",
"arn:aws:s3:::services-12345678910-cicd-storage/*"
]
}
]
}
我还尝试通过aws cli上载,但仍然失败
aws s3 cp--sse aws:kms--sse kms密钥id arn:aws:kms:eu-central-1:1234567890:key/123asdps-as34-as23-asas-aslkui98393 spark-sql-kinesis_2.11-2.3.1.jar s3://services-1234567890-cicd-storage/tesie_jars/
您提到加密后无法检索对象;您是否可以在不加密的情况下从同一个存储桶中检索对象?我这样问是因为加密不是访问控制;它是读控制。访问控制列表(ACL)是访问控制。您需要在IAM策略中授予对KMS密钥的访问权
我不能百分之百确定您需要的权限,但请从这些权限开始(我碰巧知道此集合可以工作,因为我是从工作策略复制的,但它可能包括不需要的权限):
是的,我可以在KMS加密之前访问S3存储桶。我在前面使用了默认加密(AES-256)。请参阅“对象由AWS KMS加密”部分下载KMS加密文件时,您只需访问“KMS:Decrypt”
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": "arn:aws:kms:REDACTED:REDACTED:key/REDACTED"
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateRandom",
"kms:ListAliases",
"kms:ListKeys"
],
"Resource": "*"
}