1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
I think there's no way for RDS to automatically pass KMS key ID while uploading SQL Server Audit Logs to S3 bucket. But you can do one of the following:
- You can create a new S3 bucket and enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to restrict uploads only from the IAM role for RDS SQL Server Audit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/role_name"
},
"Action": "s3:PutObject",
"Resource": "*"
}
]
}
- If you already have an S3 bucket, enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to customize the "Resource" attribute to all key prefixes except the one used to upload the SQL Server Audit files.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/all_prefixes/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/role_name"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/rds_log_prefix/*"
}
]
}
I hope that helps.
respondido há 2 anos
Conteúdo relevante
- AWS OFICIALAtualizada há 6 meses
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos