Amazon web services KMS加密后无法从S3下载文件_Amazon Web Services_Amazon S3_Terraform_Aws Cli_Aws Kms

Amazon web services KMS加密后无法从S3下载文件

amazon-web-services amazon-s3 terraform

Amazon web services KMS加密后无法从S3下载文件,amazon-web-services,amazon-s3,terraform,aws-cli,aws-kms,Amazon Web Services,Amazon S3,Terraform,Aws Cli,Aws Kms,使用terraform，我能够创建启用KMS加密的S3存储桶。但当我尝试从启用S3 KMS的存储桶下载任何文件时，它无法下载，并说访问被拒绝错误日志：- download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation

使用terraform，我能够创建启用KMS加密的S3存储桶。但当我尝试从启用S3 KMS的存储桶下载任何文件时，它无法下载，并说

访问被拒绝

错误日志：-

download failed: s3://services-1234567890-cicd-storage/jars/jdbc-0.211.jar to utilities/jdbc-0.211.jar An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

main.tf

resource "aws_s3_bucket" "s3_bucket_two" {
  bucket = "dev-analytics-data"
#  bucket = "services-${lookup(var.aws_account_id, terraform.workspace)}-cicd-storage"
  acl    = "${var.acl}"
  versioning {
    enabled = "${var.enable_versioning}"
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${data.terraform_remote_state.kms_s3.key_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

使用的IAM策略：-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345678910:role/iam_role_devops_engineer",
                    "arn:aws:iam:: 12345678910:role/EMR_AutoScaling_DefaultRole",
                    "arn:aws:iam:: 12345678910:role/EMR_DefaultRole",
                    "arn:aws:iam:: 12345678910:user/iam_user_cng_jenkins",
                    "arn:aws:iam:: 12345678910:role/iam_role_sftp",
                    "arn:aws:iam:: 12345678910:role/iam_role_jenkins_user",
                    "arn:aws:iam:: 12345678910:role/EMR_EC2_DefaultRole"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::services-12345678910-cicd-storage",
                "arn:aws:s3:::services-12345678910-cicd-storage/*"
            ]
        }
    ]
}

我还尝试通过aws cli上载，但仍然失败

aws s3 cp--sse aws:kms--sse kms密钥id arn:aws:kms:eu-central-1:1234567890:key/123asdps-as34-as23-asas-aslkui98393 spark-sql-kinesis_2.11-2.3.1.jar s3://services-1234567890-cicd-storage/tesie_jars/

您提到加密后无法检索对象；您是否可以在不加密的情况下从同一个存储桶中检索对象？我这样问是因为加密不是访问控制；它是读控制。访问控制列表（ACL）是访问控制。

您需要在IAM策略中授予对KMS密钥的访问权

我不能百分之百确定您需要的权限，但请从这些权限开始（我碰巧知道此集合可以工作，因为我是从工作策略复制的，但它可能包括不需要的权限）：

是的，我可以在KMS加密之前访问S3存储桶。我在前面使用了默认加密（AES-256）。请参阅“对象由AWS KMS加密”部分下载KMS加密文件时，您只需访问“KMS:Decrypt”

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:GetKeyPolicy",
        "kms:ListGrants",
        "kms:ListKeyPolicies",
        "kms:ListRetirableGrants",
        "kms:ReEncryptFrom",
        "kms:ReEncryptTo"
    ],
    "Resource": "arn:aws:kms:REDACTED:REDACTED:key/REDACTED"
},
{
    "Effect": "Allow",
    "Action": [
        "kms:GenerateRandom",
        "kms:ListAliases",
        "kms:ListKeys"
    ],
    "Resource": "*"
}