需要在 S3 存储桶策略中使用特定密钥 ID 进行 KMS 加密
Require KMS encryption with specific key ID in S3 bucket policy
我正在尝试要求放入存储桶中的所有对象都使用特定的 KMS 密钥进行加密。我设法要求 KMS 加密,但密钥规范不起作用。这是我的当前策略(没有真实的存储桶名称和 ID):
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyInsecureCommunications",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket1,
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-central-1:123456789:key/12345-123-notmy-keyid-1234566"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
这正确地拒绝了没有指定任何服务器端加密的上传,但它仍然允许使用默认的 s3 密钥。
If there are multiple condition operators, or if there are multiple keys attached to a single condition operator, the conditions are evaluated using a logical AND.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition
这表明双重条件策略只会在 两个 字符串不相等时拒绝(也就是说,如果不使用加密 and key-id 错误)。
分离测试
s3:x-amz-server-side-encryption
和
s3:x-amz-server-side-encryption-aws-kms-key-id
分成两个单独的 Deny
政策声明应该是解决方法。
我正在尝试要求放入存储桶中的所有对象都使用特定的 KMS 密钥进行加密。我设法要求 KMS 加密,但密钥规范不起作用。这是我的当前策略(没有真实的存储桶名称和 ID):
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyInsecureCommunications",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket1,
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-central-1:123456789:key/12345-123-notmy-keyid-1234566"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
这正确地拒绝了没有指定任何服务器端加密的上传,但它仍然允许使用默认的 s3 密钥。
If there are multiple condition operators, or if there are multiple keys attached to a single condition operator, the conditions are evaluated using a logical AND.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition
这表明双重条件策略只会在 两个 字符串不相等时拒绝(也就是说,如果不使用加密 and key-id 错误)。
分离测试
s3:x-amz-server-side-encryption
和
s3:x-amz-server-side-encryption-aws-kms-key-id
分成两个单独的 Deny
政策声明应该是解决方法。