0

我正在尝试配置 Kinesis Firehose 传输流以将文件写入 S3。我创建了 Firehose 流以使用名为att1.

这是附加到att的配置的策略。我从这里的页面获取格式https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3

我已经验证了该政策,但我不确定它是否正确。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:*",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3bucket",
                "arn:aws:s3:::s3bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:515766555555:key/cdee14ca-12b1-4790-9513-d007a3192f43"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-east-1.amazonaws.com"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::s3bucket*"
                }
            }
        }
    ]
}

配置显然已针对隐私设置进行了编辑,否则直接从策略中复制

4

1 回答 1

0

我认为您StringLike对 KMS 密钥策略的条件是错误的。文档建议这实际上应该是arn:aws:s3:::<s3bucket>/<prefix>*.

因此,如果您已将 firehose 配置为abc使用 prefix写入存储桶def,它应该如下所示:

"StringLike": {
    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::abc/def*"
}
于 2016-03-01T20:45:46.020 回答