使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

S3 bucket replication fail in multi account architecture

0

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account.

I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing.

Configuration information is like below:

<p>1. IAM policy 
(1) A-account 
( create by s3 replication configuration)
(trust relationships with s3)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name",
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name/*",
                "arn:aws:s3:::destination-bucket-name/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::source-bucket-name/*"
                    ],
                    "kms:ViaService": "s3.ap-northeast-2.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::destination-bucket-name/*"
                    ],
                    "kms:ViaService": [
                        "s3.ap-northeast-2.amazonaws.com"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key"
            ]
        }
    ]
}

(2) B-account 
NO IAM ROLE

2. S3 bucket policy

(1)A-account 
No bucket policy 


(2)B-account 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name"
            },
            "Action": [
			    "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket-name"
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::A-account-id:root"
            },
            "Action": "s3:ObjectOwnerOverrideToBucketOwner",
            "Resource": "arn:aws:s3:::destination-bucket-name/*"
        }
    ]
}

3. KMS Key policy 
(1) A-account ,  B-account
{
    "Version": "2012-10-17",
    "Id": "Key-Policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::C-account-id:root",  > key owner
                    "arn:aws:iam::A-account-id:root", 
                    "arn:aws:iam::B-account-id:root"   
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
	]
}

Please help me to complete bucket replicatoin!

主題
儲存空間安全性、身分識別與合規
標籤
Amazon Simple Storage ServiceAWS Key Management ServiceIAM 政策
語言
English
iEntertainer
已提問 2 年前檢視次數 251 次
1 個回答
0

Do you happen to know if you have bucket key enabled on the S3 buckets?

When an S3 Bucket Key is enabled for the source or destination bucket, the encryption context will be the bucket Amazon Resource Name (ARN), not the object ARN (for example, arn:aws:s3:::bucket_ARN). You must update your IAM policies to use the bucket ARN for the encryption context:

"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::bucket_ARN"
]

See Documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#bk-replication

I see that you're currently using the object level arn with the /* appended to the bucket name.

You can find the bucket key setting within your properties panel under the Encryption settings in the S3 bucket. Alternatively, you can check if the setting is enabled using the CLI:

$ aws s3api get-bucket-encryption --bucket

If you see bucket key is enabled on the buckets, you should update your IAM policy under the EncryptionContext accordingly to the Bucket ARN.

Hope this helps!

turtle85
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容