- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Have you tried with a Service Control Policy and add Condition to not apply to a specific path? Just an idea as I haven’t tested that approach.
I got help from AWS Support on this (thanks, Manish!). The trick is the NotResource
clause, which I'd never noticed in the documentation before:
{
"Sid": "DenyWrongKey",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"NotResource": "arn:aws:s3:::MYBUCKET/redshift_exports/*",
"Condition": {
"ArnNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:REGION:ACCOUNT:key/KEY_ID"
}
}
},
{
"Sid": "RequireRedshiftBehaviorInRedshiftPrefix",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/redshift_exports/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
This does exactly what we wanted:
- If the PutObject is inside the Redshift prefix, it must have the behavior redshift does.
- If it's outside the Redshift prefix, it must be encrypted with the default CMK for this bucket.
Of course, having to use 3 NOTs to make an assertion isn't exactly intuitive (Deny, NotResource, ArnNotEquals). It also doesn't generalize well for default cases; e.g., it's hard to write a rule that says "if the x-amx-acl argument exists, it must have value 'bucket-owner-full-control'", because ...IfExists doesn't work in DENY. The ArnNotEquals works above because in the default case, S3 still acts like that header was provided.
Contenuto pertinente
- AWS UFFICIALEAggiornata 8 mesi fa
- AWS UFFICIALEAggiornata un anno fa
Thanks! I might have gone down that route, but all I needed in the end was NotResource.