3

我试图要求放入存储桶中的所有对象都使用特定的 KMS 密钥进行加密。我设法要求 KMS 加密,但密钥规范不起作用。这是我目前的政策(没有真实的存储桶名称和 ID):

{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyInsecureCommunications",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket1,
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms",
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-central-1:123456789:key/12345-123-notmy-keyid-1234566"
                }
            }
        },

        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

这正确地拒绝了没有指定任何服务器端加密的上传,但它仍然允许使用默认的 s3 密钥。

4

1 回答 1

5

如果有多个条件运算符,或者如果有多个键附加到单个条件运算符,则使用逻辑 AND 评估条件。

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition

这表明双条件策略仅在两个字符串不相等时才会拒绝(即,如果未使用加密并且key-id 错误)。

将测试 分成两个单独s3:x-amz-server-side-encryption的 策略语句应该是解决方法。s3:x-amz-server-side-encryption-aws-kms-key-idDeny

于 2016-12-13T05:57:34.970 回答