By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Key Management Service

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 bucket replication fail in multi account architecture

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account. I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing. Configuration information is like below: ``` <p>1. IAM policy (1) A-account ( create by s3 replication configuration) (trust relationships with s3) { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name", "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "kms:Decrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::source-bucket-name/*" ], "kms:ViaService": "s3.ap-northeast-2.amazonaws.com" } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key" ] }, { "Action": [ "kms:Encrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::destination-bucket-name/*" ], "kms:ViaService": [ "s3.ap-northeast-2.amazonaws.com" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key" ] } ] } (2) B-account NO IAM ROLE 2. S3 bucket policy (1)A-account No bucket policy (2)B-account { "Version": "2012-10-17", "Statement": [ { "Sid": "Set permissions for objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*" }, { "Sid": "Set permissions on bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::destination-bucket-name" }, { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:root" }, "Action": "s3:ObjectOwnerOverrideToBucketOwner", "Resource": "arn:aws:s3:::destination-bucket-name/*" } ] } 3. KMS Key policy (1) A-account , B-account { "Version": "2012-10-17", "Id": "Key-Policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::C-account-id:root", > key owner "arn:aws:iam::A-account-id:root", "arn:aws:iam::B-account-id:root" ] }, "Action": "kms:*", "Resource": "*" } ] } ``` Please help me to complete bucket replicatoin!
0
answers
0
votes
22
views
asked a month ago

getSignedUrl - SignatureDoesNotMatch wit SSE-C encryption

my AWS config ``` AWS.config.update({ accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey, signatureVersion: 'v4' }); ``` Function upload and generate getSignedUrl ``` let sseKey = '12345678901234567890121234567890'; let md5 = crypto.createHash('md5').update(sseKey.toString(), 'utf8').digest('hex').toUpperCase(); S3.putObject({ Bucket: 'Bucket', Body: buff, Key: 'test_file.jpg', SSECustomerAlgorithm: 'AES256', SSECustomerKey: sseKey, SSECustomerKeyMD5: md5 }, (err,data) => { console.log("🚀 file: aws.js line 203 returnnewPromise data", data) if (err) return console.error(err.stack) S3.getSignedUrl('getObject', { Bucket: 'Bucket', Key: 'test_file.jpg', Expires: 6000, SSECustomerAlgorithm: 'AES256', SSECustomerKey: sseKey, SSECustomerKeyMD5: md5 }, (err, data) => { if (err) return console.error(err.stack) console.log(data) resolve(data) }) }) ``` I got the link like this ``` https://$BUCKET_PATH/test_file.jpg? X-Amz-Algorithm=AWS4-HMAC-SHA256& X-Amz-Credential=$SECRECT_CRE%2F20220821%2Fus-west-2%2Fs3%2Faws4_request& X-Amz-Date=20220821T022426Z& X-Amz-Expires=6000& X-Amz-Signature=5e7cd0362b2543140b46c025044c11c2da2202e7ca59811fecf1837b6cdd4713& X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption-customer-algorithm%3Bx-amz-server-side-encryption-customer-key%3Bx-amz-server-side-encryption-customer-key-md5& x-amz-server-side-encryption-customer-algorithm=AES256& x-amz-server-side-encryption-customer-key=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjEyMzQ1Njc4OTA%3D& x-amz-server-side-encryption-customer-key-MD5=tbeqTQ80K9Hdr45q0i%2FNNQ%3D%3D ``` copy link to browser get error ``` <Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> ``` I also use `https://www.npmjs.com/package/request` POST and set header params but not work ``` headers: { 'x-amz-server-side-encryption-customer-algorithm': 'AES256', 'x-amz-server-side-encryption-customer-key': encryptKey.toString('base64'), }, ``` Please help me , i dont know where problem . Thank you
1
answers
0
votes
38
views
asked a month ago

MSSQL RDS Backup and Restore

I am trying to do a MSSQL database backup and restore (from one AWS account to another) following the native backup and restore documentation. - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html#SQLServer.Procedural.Importing.Native.Enabling - The backup seems to work fine to an S3 bucket. I am then downloading it from Account A and uploading it back to an S3 bucket in Account B. When I then try to restore using - exec msdb.dbo.rds_restore_database @restore_db_name='database_name', @s3_arn_to_restore_from='arn:aws:s3:::bucket_name/file_name.extension', - I get the following error - Aborted the task because of a task failure or a concurrent RESTORE_DB request. Task has been aborted ** The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.** - This suggests to me an encryption issue however I have not specified a KMS key using the '@kms_master_key_arn' parameter on either the export or import which the documentation suggests should export an unencrypted DB: The following parameters are optional: @kms_master_key_arn – The ARN for the symmetric encryption KMS key to use to encrypt the item. *** If you don't specify a KMS key identifier, the backup file won't be encrypted.** - I'd appreciate any ideas if anyone has come across this problem before.
1
answers
0
votes
45
views
asked 2 months ago