Amazon Macie 为发现保留创建存储桶时出现 putClassificationExportConfiguration 错误
putClassificationExportConfiguration error with Amazon Macie creating a bucket for discoveries retention
我们刚刚开始使用 Amazon Macie,但在创建存储桶以将结果保留超过 90 天时遇到了问题。
我们得到的错误是:
putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both.
我们正在使用 AWS SSO 连接到控制台,我的用户拥有管理员权限,在我查看我的 IAM 策略配置时有效 * 在资源和 * 操作中。
S3 存储桶策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-west-1:accountid:key/keynumber"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::macie-investigations"
}
]
}
这是我们创建的对称密钥的策略:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
kms 密钥允许我的角色和 macie 的角色作为管理员配置以及使用配置,如下所示:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountid:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
我们已尝试创建具有以下特定内容的 IAM 用户:macie2:PutClassificationExportConfiguration 无效。
正在创建一个新的存储桶,public 或私有的,也无济于事。
我们还尝试在存储桶策略中明确添加我们的管理员用户,并在策略中授予对 macie 服务的所有权限,但也无济于事。我们总是得到同样的错误。存储桶与密钥在同一区域和帐户中。
唯一来自不同账户的是 AWS SSO 托管角色,它们适用于组织内的主账户。
有谁知道我们显然没有意识到在哪里寻找的缺失 link 在哪里?
非常感谢您的帮助!
在 KMS 中创建的密钥在策略中缺少以下内容:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
我们刚刚开始使用 Amazon Macie,但在创建存储桶以将结果保留超过 90 天时遇到了问题。
我们得到的错误是:
putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both.
我们正在使用 AWS SSO 连接到控制台,我的用户拥有管理员权限,在我查看我的 IAM 策略配置时有效 * 在资源和 * 操作中。
S3 存储桶策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-west-1:accountid:key/keynumber"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::macie-investigations"
}
]
}
这是我们创建的对称密钥的策略:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
kms 密钥允许我的角色和 macie 的角色作为管理员配置以及使用配置,如下所示:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountid:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
我们已尝试创建具有以下特定内容的 IAM 用户:macie2:PutClassificationExportConfiguration 无效。
正在创建一个新的存储桶,public 或私有的,也无济于事。 我们还尝试在存储桶策略中明确添加我们的管理员用户,并在策略中授予对 macie 服务的所有权限,但也无济于事。我们总是得到同样的错误。存储桶与密钥在同一区域和帐户中。
唯一来自不同账户的是 AWS SSO 托管角色,它们适用于组织内的主账户。
有谁知道我们显然没有意识到在哪里寻找的缺失 link 在哪里?
非常感谢您的帮助!
在 KMS 中创建的密钥在策略中缺少以下内容:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}