1

我正在尝试将账户 B 中的 Glue 中的虚拟文件放入账户 A 中的 S3 存储桶中。S3 存储桶(测试存储桶)正在启用 AWS-KMS 加密并启用了 aws/s3 托管密钥。

  1. 我在账户 A-S3 存储桶(测试存储桶)中添加了以下权限:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny PutObject if NOT using correct KMS Encryption Key",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "",
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN_KMS_ACCOUNT_A>"
                }
            }
        },
        {
            "Sid": "Allow Glue Role in Application account to put objects in the S3 bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<IAM_Glue_Role_ARN>"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::test-bucket",
                "arn:aws:s3:::test-bucket/*"
            ]
        },
        {
            "Sid": "Only allow writes to my bucket with bucket owner full control",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<IAM_Glue_Role_ARN>"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test-bucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
  1. 向账户 B 中的 IAM Glue 角色添加了以下策略
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*"
            ],
            "Resource": "arn:aws:s3:::test-bucket*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<ARN_KMS_ACCOUNT_A>",
            "Effect": "Allow"
        }
    ]
}

这是我的胶水代码:

s3.put_object(
    Bucket='output',
    Key='_SUCCESS',
    ServerSideEncryption='aws:kms',
    SSEKMSKeyId='<ARN_KMS_ACCOUNT_A>'
)

从 Account B Glue 运行此代码时出现以下错误:

ClientError: An error occurred (KMS.NotFoundException) when calling the PutObject operation: Invalid arn ap-southeast-2

对此有什么想法吗?

4

2 回答 2

0

有几件事:

  1. 对于存储桶上的策略,Deny权限应始终位于所有Allow权限之后。并删除conditionDeny权限。您想阻止所有未经授权的流量。
  2. 使用托管 KMS 密钥。在该密钥上,授予kms:decrypt密钥策略上的胶水角色。
于 2021-04-21T01:02:20.253 回答
0

AWS 托管 CMKaws/s3只能在同一账户中使用,即密钥存在的地方(在您的情况下,它的账户 A)。您可以尝试使用aws/s3账户 B 中的 CMK 或在账户 A 中创建客户管理的 CMK,并按照此处的步骤与账户 B 共享。

于 2021-01-09T19:57:34.110 回答