英文:
When Default encryption for S3 bucket is set to SSE-KMS the access logs doesn't show up
问题
我想要为一个名为source_bucket的存储桶启用服务器访问日志。在目标存储桶上,我已设置了权限:
{
"Sid": "S3PolicyStmt-Dummy-11111111111111",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::target_bucket/*"
}
其他条件:
- 目标存储桶的策略中没有拒绝访问日志的设置
- 目标存储桶上禁用了S3对象锁
- 目标存储桶上的默认加密设置为SSE-KMS - 这里似乎存在问题。一旦我将其更改为SSE-S3,日志会在一段时间后显示,但使用KMS密钥时不会。
KMS密钥具有以下策略:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
}
我是否需要设置其他附加权限以使其正常工作?
英文:
I would like to enable Server access logs for a bucket (named it source_bucket). On the target bucket I've set the permissions:
{
"Sid": "S3PolicyStmt-Dummy-11111111111111",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::target_bucket/*"
}
other conditions:
-
there is no deny access to the logs in the policy of the target_bucket
-
S3 Object Lock on target_bucket disabled
-
Default encryption on the target_bucket set to SSE-KMS - and here looks like an issue to me. Once I've changed it to SSE-S3 the logs were presented after some time but with using KMS Key it doesn't.
KMS Key has the following policy:{ "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${account_id}:root" }, "Action": "kms:*", "Resource": "*" }
Do I need to set up some additional permissions to make it work?
答案1
得分: 1
日志由服务 logs.amazonaws.com 编写,因此您需要允许该服务解密 KMS。请将以下策略添加到 KMS 密钥中,并确保将 logs.region.amazonaws.com 上的区域更改为您正在使用的区域。
{
"Effect": "Allow",
"Principal": {
"Service": "logs.region.amazonaws.com"
},
"Action": [
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:Describe*"
],
"Resource": "<您的 KMS 密钥的 ARN>"
}
英文:
The logs are written by the service logs.amazonaws.com so you need to allow the service to decrypt the KMS, add the following policy to the KMS key, make sure to change the region on logs.region.amazonaws.com to the one you are using.
{
"Effect": "Allow",
"Principal": {
"Service": "logs.region.amazonaws.com"
},
"Action": [
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:Describe*"
],
"Resource": "<arn of your KMS key>"
}
答案2
得分: 1
谢谢furydrive提供的提示。对我有效的策略如下:
{
"Sid": "允许AWS服务解密日志 - P2",
"Effect": "允许",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": [
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
我已将其添加到我使用的KMS密钥中。我使用的服务是:logging.s3.amazonaws.com,与用于在S3中存储数据的服务相同。除此之外,我还根据以下示例添加了2个更多的操作:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html(段落:Amazon S3桶服务器端加密)
英文:
Thank you furydrive for providing me a hint. What worked for me is the policy below:
{
"Sid": "Allow aws service to decrypt logs - P2",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": [
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
I've added it to KMS Key, I've used.
Service I've used is: logging.s3.amazonaws.com
this is the same, which is used to store data in S3. Other then that I've added 2 more actions following this example:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html (paragraph: Amazon S3 bucket server-side encryption)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论