我正在尝试将文件上传到 S3 存储桶,并将默认加密启用为 SSE-KMS,并使用 AWS 控制台向存储桶策略发送拒绝声明,但是,我收到拒绝访问错误。如果我从存储桶策略中删除拒绝条件,我可以使用 AWS 控制台将文件上传到 S3。
我知道这可以通过使用 aws cli 来实现,--sse aws:kms --sse-kms-key-id <kms-key-id>但是我想知道有没有办法通过AWS 控制台上传文件?
桶策略 -->
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "KMSPut",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MyBucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}
KMS 政策 -->
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345678:role/MyRole",
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
IAM 角色政策 -->
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MyBucket"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::MyBucket/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:eu-west-1:12345678:key/1234-abcd-dcba-4321"
],
"Effect": "Allow"
}
]
}