S3 bucket replication fail in multi account architecture

0

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account.

I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing.

Configuration information is like below:

<p>1. IAM policy 
(1) A-account 
( create by s3 replication configuration)
(trust relationships with s3)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name",
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::source-bucket-name/*"
                    ],
                    "kms:ViaService": "s3.ap-northeast-2.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::destination-bucket-name/*"
                    ],
                    "kms:ViaService": [
                        "s3.ap-northeast-2.amazonaws.com"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key"
            ]
        }
    ]
}

(2) B-account 
NO IAM ROLE

2. S3 bucket policy

(1)A-account 
No bucket policy 


(2)B-account 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
			    "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket-name"
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:root"
            },
            "Action": "s3:ObjectOwnerOverrideToBucketOwner",
            "Resource": "arn:aws:s3:::destination-bucket-name/*"
        }
    ]
}

3. KMS Key policy 
(1) A-account ,  B-account
{
    "Version": "2012-10-17",
    "Id": "Key-Policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::C-account-id:root",  > key owner
                    "arn:aws:iam::A-account-id:root", 
                    "arn:aws:iam::B-account-id:root"   
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
	]
}

Please help me to complete bucket replicatoin!

1개 답변
0

Do you happen to know if you have bucket key enabled on the S3 buckets?

When an S3 Bucket Key is enabled for the source or destination bucket, the encryption context will be the bucket Amazon Resource Name (ARN), not the object ARN (for example, arn:aws:s3:::bucket_ARN). You must update your IAM policies to use the bucket ARN for the encryption context:

"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::bucket_ARN"
]

See Documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#bk-replication

I see that you're currently using the object level arn with the /* appended to the bucket name.

You can find the bucket key setting within your properties panel under the Encryption settings in the S3 bucket. Alternatively, you can check if the setting is enabled using the CLI:

$ aws s3api get-bucket-encryption --bucket

If you see bucket key is enabled on the buckets, you should update your IAM policy under the EncryptionContext accordingly to the Bucket ARN.

Hope this helps!

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠