我的账户中有一个 s3 存储桶,默认启用了 SSEaws-kms
钥匙。我希望向我的存储桶提供另一个帐户的读取权限。
我已点击以下链接来提供访问权限:https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/ https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
我在用aws s3 ls <s3://bucket_name>
and aws s3 cp <path to s3 object> .
下载对象
我尝试在未启用 SSE 的情况下提供对存储桶的跨账户访问。我成功地检索了存储桶详细信息并下载了对象。但是,当我尝试从启用了 SSE 的存储桶下载对象时,我得到了An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
例外。我可以列出启用 SSE 的存储桶中的对象,但不能下载它们。
我的存储桶政策:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
账户中的 ReadOnly 角色拥有所有 aws 服务的读取权限。此外,我还为该角色附加了以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
我相信由于 KMS 解密,我无法获取对象,因为我可以使用禁用 SSE 的存储桶进行下载。我的上述政策正确吗?如果使用默认 kms 密钥,我是否需要提供一些额外的权限?是否可以使用默认的 kms 密钥并提供跨帐户访问?