AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

S3 Server Access Logging - Cross-Account for encrypted objects

0

Dear community,

Requesting your support.

**Situation: **

  • We do have a multi-account setup with a centralized logging account
  • We need to write S3 Server Access Logs from a decentral Account D to the central Account C
  • Objects in decentral Accound D are encrypted - this must be Amazon Managed Key because S3 Server Access Logs are not compatible with Customer Managed Keys acc. to AWS documentation
  • Unfortunately Amazon Managed Keys cannot be shared cross-account, because one cannot define its policies

**Target: **

  • We want to decrypt the files in decentral Account D using its Amazon Managed Key and write S3 Server Access Logs in a dedicated bucket in same account
  • Then we replicate objects to Central Account C, and reencrypt with a Customer Managed Key from Central Account C - this seems technically not possible

**Error Message: **
"You don’t have permission to get the server-side encryption settings After you or your AWS administrator has updated your permissions to allow the s3:GetObject action, refresh the page. "

Any ideas?
(update: I added a comment below with additional context - see my response to Osvaldo)

주제
스토리지보안, 신원 및 규정 준수
태그
아마존 심플 스토리지 서비스AWS 키 관리 서비스암호화
언어
English
Andre
질문됨 2달 전379회 조회
2개 답변
1
수락된 답변

Update: I was able to fix it myself.

Root cause: The Replication Destination was misconfigured. Using Terraform the destination bucket was set up as if in the same account. Changing the Replication Destination to "specify a bucket in another account" fixed the issue. This is still strange, because object were replicated using the "choose bucket in this account" using a bucket name from a different account. However, it is fixed. Thanks for your help!

Additional note: You can simply keep the Amazon Managed Key setting for encryption. Using the option "change object ownership to destination bucket owner" uses the destination Amazon Managed Key. No need to use Customer Managed Key in this case.

Andre
답변함 2달 전
profile picture
전문가
Oleksii Bebych
검토됨 2달 전
0

To replicate S3 Server Access Logs from Account D to Account C with encryption requirements, follow these steps:

  1. In Account D:

    • Enable S3 Server Access Logging to a specific bucket.
    • Set a bucket policy allowing cross-account access from Account C for s3:GetObject and s3:ReplicateObject.

  2. In Account C:

    • Create a Customer Managed Key (CMK) in KMS for encryption.
    • Configure S3 replication to copy logs from Account D to C, encrypting with the CMK in Account C.
    • Create an IAM role with permissions for replication and encryption (s3:ReplicateObject, s3:ReplicateDelete, kms:Encrypt), accessible by Account D.

  3. Troubleshooting:

    • Ensure roles/users in both accounts have the necessary permissions (s3:GetObject, kms:Decrypt, s3:GetEncryptionConfiguration).
profile picture
전문가
Osvaldo Marte
답변함 2달 전
  • Andre
    2달 전

    Hi Osvaldo,

    If I understand you correct, you want to set up replication INSIDE the central Account C, which is technically not possible from what I see. You can set up a replication rule only from inside an S3 bucket. This S3 bucket is always the source of the replication.

    It is only possible to initiate the replication from the decentral Account D.

    Summarizing my situation in other words following your schema:

    In Account D:

    • In this account we have our source bucket 1
    • We also have specific bucket 2 which is used for S3 server access logs - all objects inside are encrypted using Amazon Managed Keys
    • FROM bucket 2, we initiate replication
    • In replication settings, we chose to change the key to a Customer Managed Key from Account C

    In Account C:

    • In this account we have the destination bucket 3 for Server Access Logs
    • We receive replicated log files here. However I cannot download or open the objects. It seems they are still encrypted with the Amazon Managed Key from Account D.

    Error Message (when opening a replicated object, under "server-side encryption settings": "You don’t have permission to get the server-side encryption settings After you or your AWS administrator has updated your permissions to allow the s3:GetObject action, refresh the page. " Error Message (opening the object): "Access Denied"

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠