4

我正在尝试将加密对象复制到不同区域的 S3 存储桶。执行此操作时,我需要指定一个或多个 KMS 密钥用于解密对象。

我正在使用以下 Terraform 脚本:

replication_configuration {
  role = "${aws_iam_role.replication.arn}"

  rules {
    id     = "${var.service}"
    prefix = "${var.replication_bucket_prefix}"
    status = "Enabled"

    destination {
      bucket        = "${aws_s3_bucket.replication_bucket.arn}"
      storage_class = "STANDARD"
      replica_kms_key_id = "xxxxx"
    }

    source_selection_criteria {
      sse_kms_encrypted_objects {
        enabled = true
      }
    }
  }
}

此脚本有效(适用),但在 AWS 控制台中检查时,没有为源对象选择 KMS 密钥。

查看配置,我看不到任何地方可以指定这些键。replica_kms_key_id用于指定用于加密目标存储桶中的对象的KMS 密钥。

4

3 回答 3

4

When you setup replication in the console it creates a new policy and attaches it to your replication role. If you create this policy with Terraform it will reflect in the console and replication will work.

The code below assumes you are creating all of the buckets and keys in terraform and the resource names are aws_s3_bucket.source and aws_s3_bucket.replica and the key resources are aws_kms_key.source and aws_kms_key.replica.

This should definitely be described in the s3 bucket resource documentation on the Terraform site because it won't work without it, but it's not.

resource "aws_iam_policy" "replication" {
  name = "tf-iam-role-policy-replication-12345"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetReplicationConfiguration",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.source.arn}",
        "${aws_s3_bucket.source.arn}/*"
      ]
    },
    {
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ReplicateTags",
        "s3:GetObjectVersionTagging"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.replica.arn}/*"
      ]
    },
    {
      "Action": [
        "kms:Decrypt"
      ],
      "Effect": "Allow",
        "Condition": {
          "StringLike": {
            "kms:ViaService": "s3.${aws_s3_bucket.source.region}.amazonaws.com",
            "kms:EncryptionContext:aws:s3:arn": [
              "${aws_s3_bucket.source.arn}/*"
            ]
          }
        },
        "Resource": [
          "${aws_kms_key.source.arn}"
        ]
    },
    {
      "Action":[
        "kms:Encrypt"
      ],
      "Effect":"Allow",
      "Condition": {
        "StringLike": {
          "kms:ViaService": "s3.${aws_s3_bucket.replica.region}.amazonaws.com",
          "kms:EncryptionContext:aws:s3:arn": [
            "${aws_s3_bucket.replica.arn}/*"
          ]
        }
      },
      "Resource":[
        "${aws_kms_key.replica.arn}"
      ]
    }
  ]
}
POLICY
}

More details can be found in issue #6046 on the terraform-provider-aws repo

于 2019-12-27T05:09:25.543 回答
4

我在尝试使用 terraform 实现 KMS 加密跨区域、跨帐户复制时遇到了同样的问题。

在某些时候,我注意到配置中缺少源 KMS 密钥(就像您所做的那样)并通过 S3 Web 界面添加它。这样做之后,AWS 创建了另一个策略(没有在任何地方提及它;我在一天后在做其他事情时发现它)调用类似的东西crr-$SOURCE_BUCKET_NAME-to-$TARGET_BUCKET_NAME并将其附加到复制角色。在检查了该规则后,我意识到这是拼图中缺失的部分。

这是该政策的重要部分:

{
        "Action": [
            "kms:Decrypt"
        ],
        "Effect": "Allow",
        "Condition": {
            "StringLike": {
                "kms:ViaService": "s3.${var.source_bucket_region}.amazonaws.com",
                "kms:EncryptionContext:aws:s3:arn": [
                    "arn:aws:s3:::${var.source_bucket_name}/*"
                ]
            }
        },
        "Resource": [
            "${var.source_kms_key_arn}"
        ]
    },

${var.source_kms_key_arn}是您的源 KMS 密钥 arn。

PS:这个问题把我逼疯了!(╯°□°)╯︵┻━┻</p>

于 2018-10-12T13:23:40.657 回答
1

遇到同样的问题。我从Mattmalte早期评论中的政策文件开始,但只是让它与这个一起工作:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "${aws_s3_bucket.source.arn}",
                "${aws_s3_bucket.source.arn}/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLikeIfExists": {
                    "s3:x-amz-server-side-encryption": [
                        "aws:kms",
                        "AES256"
                    ],
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": [
                        "${aws_kms_key.replica.arn}"
                    ]
                }
            },
            "Resource": [
                "${aws_s3_bucket.replica.arn}/*"
            ]
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.${aws_s3_bucket.source.region}.amazonaws.com",
                    "kms:EncryptionContext:aws:s3:arn": [
                        "${aws_s3_bucket.source.arn}/*"
                    ]
                }
            },
            "Resource": [
                "${aws_kms_key.source.arn}"
            ]
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.${aws_s3_bucket.replica.region}.amazonaws.com",
                    "kms:EncryptionContext:aws:s3:arn": [
                        "${aws_s3_bucket.replica.arn}/*"
                    ]
                }
            },
            "Resource": [
                        "${aws_kms_key.replica.arn}"
            ]
        }
    ]
}

请注意更改,可能来自 CRR 策略的 V3(从控制台选择时,AWS 创建 s3crr_kms_v3_*):

"Condition": {
                "StringLikeIfExists": {
                    "s3:x-amz-server-side-encryption": [
                        "aws:kms",
                        "AES256"
                    ],
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": [
                        "${aws_kms_key.replica.arn}"
                    ]
                }
            }

关于使用 KMS 的 S3 CRR 的 Terraform 文档仍然非常有限。

于 2020-07-15T17:32:59.647 回答