如何通过自定义 kms 密钥启用服务器端加密将文件上传到 s3

【问题标题】:how to upload files to s3 with server side encryption enabled by custom kms key如何通过自定义 kms 密钥启用服务器端加密将文件上传到 s3
【发布时间】:2020-07-08 09:03:42
【问题描述】:

创建了 2 个新的 kms 密钥:

custom-client-side-encrypt-kms-key. (encrypt file on client side);
custom-server-side-encrypt-kms-key. (enable S3 server side encryption)

创建新用户:

test-user-encrypt

授予用户访问密钥和存储桶的权限; 设置新的密钥策略以允许用户使用密钥

  1. 运行命令(新用户凭据,带有密钥 ID 选项)
 aws s3api put-object --body newFile --bucket <bucket-name> --key inbound/newFile --server-side-encryption aws:kms --ssekms-key-id newKeyId

错误:调用 PutObject 操作时:拒绝访问

  1. 运行命令(新用户凭据,没有密钥 ID 选项)
aws s3api put-object --body newFile --bucket <bucket-name> --key inbound/newFile --server-side-encryption aws:kms

它可以工作,但对象是使用 AWS 托管的默认 kms 密钥加密的

根据上述测试,用户似乎对S3有正确的权限,但kms密钥权限不正确。

这是我的简要政策:

关键政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxid:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxid:user/test_user_encrypt"
            },
            "Action": [
                "kms:ReEncrypt",
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx",(IP addresses allowed)
                        "xx.xx.xx.xx",
                
                    ]
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxid:user/test_user_encrypt"
            },
            "Action": [
                "kms:RevokeGrant",
                "kms:ListGrants",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx", (IP addresses allowed)  
                        "xx.xx.xx.xx",
                
                    ]
                }
            }
        }
    ]
}

IAM 用户政策

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "kms:ReEncrypt",
        "kms:GenerateDataKey",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:<region>:xxID:key/custom-client-side-encrypt-kms-key-id",
      "Condition": {
        "ForAnyValue:IpAddress": {
          "aws:SourceIp": [
             "xx.xx.xx.xx" (IP address allowed)
          ]
        }
      }
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "kms:RevokeGrant",
        "kms:ReEncrypt",
        "kms:ListGrants",
        "kms:GenerateDataKey",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:Decrypt",
        "kms:CreateGrant"
      ],
      "Resource": "arn:aws:kms:<region>:xxxID:key/<custom-server-side-encrypt-key-id>"
      "Condition": {
          "ForAnyValue:IpAddress": {
             "aws:SourceIp": [
                "xx.xx.xx.xx", (IP address allowed)
              
              ]
           }
        }
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket/inbound/*",
      "Condition": {
        "ForAnyValue:IpAddress": {
          "aws:SourceIp": [
            "xx.xxx.xxx.xx", (IP address allowed)
          
          ]
        }
      }
    },
    {
      "Sid": "",
      "Effect": "Deny",
      "Action": [
        "s3:PutObjectAcl",
        "s3:PutObject",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "arn:aws:s3:::bucket/*/*/*",
        "arn:aws:s3:::bucket/*/*/",
        "arn:aws:s3:::bucket/*/"
      ]
    }
  ]
}

存储桶策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxid:user/test_user_encrypt"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/inbound/*",
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx", (IP address allowed)
                    
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxid:user/test_user_encrypt"
            },
            "Action": "s3:ListMultipartUploadParts",
            "Resource": "arn:aws:s3:::bucket/inbound/*",
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx", (IP address allowed)
              
                    ]
                }
            }
        },
        {
            "Sid": "DenyIncorrectEncryptKey",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:region:xxxid:key/custom-server-side-encrypt-kms-key-id"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket/*",
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

【问题讨论】:

  • 您在问问题吗?如果您需要帮助,请更新您的问题,以便清楚您需要什么帮助。
  • @DanielMorell 刚刚更新了我的问题。谢谢

标签: amazon-s3 encryption


【解决方案1】:

我想通了。我不应该在 kms:grant 权限周围加上条件“ip range”。

            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx", (IP address allowed)
              
                    ]
                }
            }

该条件使 kms:grant 无效。我的猜测....

删除条件后,它工作正常。

【讨论】:

    猜你喜欢
    • 2019-09-03
    • 2015-05-30
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2018-04-04
    • 2019-12-27
    • 1970-01-01
    • 2018-09-30
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode