search

aldy120 / s3-note

Note for Amazon S3
0 stars 0 forks source link

Replication #30

Open aldy120 opened 1 year ago

aldy120 commented 1 year ago

如果是 cross account 與搭配 kms 會比較複雜。

在 Replication 設定值有個 encryption 可以手動填入跨帳戶的 KMS key。如果 IAM role 用的是 new created role 會自動依照 console 的設定建立一個 role 。在建立或更新時有設定同帳戶下的 KMS key 會自動加進去 role policy。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account",
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLikeIfExists": {
                    "s3:x-amz-server-side-encryption": [
                        "aws:kms",
                        "AES256"
                    ]
                }
            },
            "Resource": [
                "arn:aws:s3:::delete-me-12345678/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.eu-west-1.amazonaws.com",
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::delete-me-dskjafhewf-cross-account/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:eu-west-1:325227931631:key/2a52dcea-d58d-4f48-9d6a-409673b8b838"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "s3.ap-northeast-1.amazonaws.com"
                    ],
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::delete-me-12345678/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:ap-northeast-1:325227931631:key/0315d52d-e104-48b6-8fa6-0a98c5ca0412"
            ]
        }
    ]
}

但如果是用跨帳戶的 KMS key 作為 destination 加密的話不會幫你加進去。跨帳戶沒人權。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account",
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account/*",
                "arn:aws:s3:::delete-me-12345678",
                "arn:aws:s3:::delete-me-12345678/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account/*",
                "arn:aws:s3:::delete-me-12345678/*"
            ]
        }
    ]
}
aldy120 commented 1 year ago

寫一個跨帳戶 KMS replication 的 IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<SOURCE_BUCKET>",
                "arn:aws:s3:::<SOURCE_BUCKET>/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLikeIfExists": {
                    "s3:x-amz-server-side-encryption": [
                        "aws:kms",
                        "AES256"
                    ]
                }
            },
            "Resource": [
                "arn:aws:s3:::<DESTINATION_BUCKET>/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.<SOURCE_REGION>.amazonaws.com",
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::<SOURCE_BUCKET>/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<SOURCE_KMS_KEY_ID>"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "s3.<DESTINATION_REGION>.amazonaws.com"
                    ],
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::<DESTINATION_BUCKET>/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:<DESTINATION_REGION>:<ACCOUNT_ID>:key/<DESTINATION_KMS_KEY_ID>"
            ]
        }
    ]
}
aldy120 commented 1 year ago

Bucket policy 示範。要記得加上 s3:ObjectOwnerOverrideToBucketOwner

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-change-owner.html#repl-ownership-accept-ownership-b-policy

{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::325227931631:role/service-role/s3crr_role_for_delete-me-dskjafhewf-cross-account_2"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::delete-me-12345678/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::325227931631:role/service-role/s3crr_role_for_delete-me-dskjafhewf-cross-account_2"
            },
            "Action": [
                "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::delete-me-12345678"
        }
    ]
}
aldy120 commented 1 year ago

KMS 部分 destination bucket 要啟用 KMS encryption 才會用 kms 複製。

aldy120 commented 1 year ago

把 IAM role policy 加上跨帳戶的 KMS 權限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account",
                "arn:aws:s3:::delete-me-dskjafhewf-cross-account/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLikeIfExists": {
                    "s3:x-amz-server-side-encryption": [
                        "aws:kms",
                        "AES256"
                    ]
                }
            },
            "Resource": [
                "arn:aws:s3:::delete-me-12345678/*"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "s3.ap-northeast-1.amazonaws.com"
                    ],
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::delete-me-12345678/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:ap-northeast-1:818128150921:key/mrk-348a4a374d5a4b7291168c54439e41c9"
            ]
        }
    ]
}
aldy120 commented 1 year ago

KMS key policy 加上跨帳戶權限。 IAM role 也要加上相關的 KMS 權限。kms:GenerateDataKey 是必要的。

{
    "Effect": "Allow",
    "Action": [
        "kms:GenerateDataKey",
        "kms:Encrypt"
    ],
    "Resource": [
        "DestinationKmsKeyArn"
    ]
}

https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-replication/

aldy120 commented 1 year ago

使用 bucket key 的時候, encryption context 會變成 bucket ARN 所以不能加星號。 https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#bk-replication

但這篇文件的有些奇怪

if an S3 Bucket Key is only enabled on the destination bucket and not the source bucket, you don't need to update your IAM policies to use the bucket ARN for the encryption context.

有可能只是 decrypt 不需要,但 encrypt 還是需要改成 bucket ARN 。我測過了,如果沒有改會失敗。

{
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt"
            ],
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.ap-northeast-1.amazonaws.com",
                    "kms:EncryptionContext:aws:s3:arn": [
                        "arn:aws:s3:::delete-me-12345678/*"
                    ]
                }
            },
            "Resource": [
                "arn:aws:kms:ap-northeast-1:818128150921:key/mrk-348a4a374d5a4b7291168c54439e41c9"
            ]
        }
aldy120 commented 1 year ago

bucket ownership 沒啥差,就算用 destination 用 bucket owner enforce 也可以勾選 Change object ownership to destination bucket owner