Open aldy120 opened 1 year ago
寫一個跨帳戶 KMS replication 的 IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET>",
"arn:aws:s3:::<SOURCE_BUCKET>/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Condition": {
"StringLikeIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
]
}
},
"Resource": [
"arn:aws:s3:::<DESTINATION_BUCKET>/*"
]
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.<SOURCE_REGION>.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::<SOURCE_BUCKET>/*"
]
}
},
"Resource": [
"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<SOURCE_KMS_KEY_ID>"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.<DESTINATION_REGION>.amazonaws.com"
],
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::<DESTINATION_BUCKET>/*"
]
}
},
"Resource": [
"arn:aws:kms:<DESTINATION_REGION>:<ACCOUNT_ID>:key/<DESTINATION_KMS_KEY_ID>"
]
}
]
}
Bucket policy 示範。要記得加上 s3:ObjectOwnerOverrideToBucketOwner
。
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::325227931631:role/service-role/s3crr_role_for_delete-me-dskjafhewf-cross-account_2"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::delete-me-12345678/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::325227931631:role/service-role/s3crr_role_for_delete-me-dskjafhewf-cross-account_2"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::delete-me-12345678"
}
]
}
KMS 部分 destination bucket 要啟用 KMS encryption 才會用 kms 複製。
把 IAM role policy 加上跨帳戶的 KMS 權限
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::delete-me-dskjafhewf-cross-account",
"arn:aws:s3:::delete-me-dskjafhewf-cross-account/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Condition": {
"StringLikeIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
]
}
},
"Resource": [
"arn:aws:s3:::delete-me-12345678/*"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.ap-northeast-1.amazonaws.com"
],
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::delete-me-12345678/*"
]
}
},
"Resource": [
"arn:aws:kms:ap-northeast-1:818128150921:key/mrk-348a4a374d5a4b7291168c54439e41c9"
]
}
]
}
KMS key policy 加上跨帳戶權限。 IAM role 也要加上相關的 KMS 權限。kms:GenerateDataKey 是必要的。
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": [
"DestinationKmsKeyArn"
]
}
https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-replication/
使用 bucket key 的時候, encryption context 會變成 bucket ARN 所以不能加星號。 https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#bk-replication
但這篇文件的有些奇怪
if an S3 Bucket Key is only enabled on the destination bucket and not the source bucket, you don't need to update your IAM policies to use the bucket ARN for the encryption context.
有可能只是 decrypt 不需要,但 encrypt 還是需要改成 bucket ARN 。我測過了,如果沒有改會失敗。
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Condition": {
"StringLike": {
"kms:ViaService": "s3.ap-northeast-1.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::delete-me-12345678/*"
]
}
},
"Resource": [
"arn:aws:kms:ap-northeast-1:818128150921:key/mrk-348a4a374d5a4b7291168c54439e41c9"
]
}
bucket ownership 沒啥差,就算用 destination 用 bucket owner enforce 也可以勾選 Change object ownership to destination bucket owner
如果是 cross account 與搭配 kms 會比較複雜。
在 Replication 設定值有個 encryption 可以手動填入跨帳戶的 KMS key。如果 IAM role 用的是 new created role 會自動依照 console 的設定建立一個 role 。在建立或更新時有設定同帳戶下的 KMS key 會自動加進去 role policy。
但如果是用跨帳戶的 KMS key 作為 destination 加密的話不會幫你加進去。跨帳戶沒人權。