问题
I have an s3 bucket in my account which has SSE enabled using default aws-kms key. I wish to provide read access to another account to my bucket.
I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
I am using aws s3 ls <s3://bucket_name> and aws s3 cp <path to s3 object> . to download the object
I tried providing cross-account access to a bucket without SSE enabled. I was successfully able to retrieve bucket details and download object. However, when I try to download object from a bucket with SSE enabled I get An error occurred (AccessDenied) when calling the GetObject operation: Access Denied exception. I am able to list objects from the SSE-enabled bucket, just not download them.
My bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
The ReadOnly role in the account has read permissions to all aws services. In addition I attached the following policy to the role as well
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
I believe I am not able to getObject due to KMS decryption since I able to download with a SSE-disabled bucket. Is my policy above correct? Do I need to provide some additional permissions if using default kms keys? Is it possible to use default kms keys and provide cross-account access?
回答1:
To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:
- The bucket policy in Account A must grant access to Account B.
- The AWS KMS key policy in Account A must grant access to the user in Account B.
- The AWS Identity and Access Management (IAM) user policy in Account B must grant the user access to both the bucket and the key in Account A.
See more information here:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
来源:https://stackoverflow.com/questions/59043525/s3-cross-account-access-with-default-kms-key