Select AWS RDS Aurora 进入带 KMS 的 S3 加密存储桶

Question

我正在尝试使用 AWS RDS Aurora 功能 SELECT * INTO OUTFILE S3 :some_bucket/object_key，其中 some_bucket 具有使用 KMS 的默认服务器端加密。

我收到此错误，这是有道理的：

InternalError: (InternalError) (1871, u'S3 API returned error: Unknown:Unable to parse ExceptionName: KMS.NotFoundException Message: Invalid keyId')

我怎样才能让它工作，让 Aurora 拥有 KMS 密钥，以便它可以将文件上传到 S3？

Answer 1

根据文档

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.SaveIntoS3.html#AuroraMySQL.Integrating.SaveIntoS3.Statement

Compressed or encrypted files are not supported.

但是您可以使用针对特定后缀的 "NotResource" 策略和 select 为存储桶创建异常策略，然后您可以从那里触发 lambda 将文件移动到加密的实际路径.

Answer 2

Aurora MySQL 目前支持此功能。按照上述官方文档将 IAM 角色添加到您的 RDS 集群，并确保该角色具有同时授予 S3 read/write 和 KMS encryption/decryption 的策略，例如

        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:ReEncrypt*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:<region>:<account>:key/<key id>"
        }

Select AWS RDS Aurora 进入带 KMS 的 S3 加密存储桶

Select AWS RDS Aurora into S3 encrypted bucket with KMS

encryption

amazon-s3

amazon-rds

aws-kms

amazon-aurora