当S3存储桶的默认加密设置为SSE-KMS时,访问日志不会显示。

huangapple go评论64阅读模式
英文:

When Default encryption for S3 bucket is set to SSE-KMS the access logs doesn't show up

问题

我想要为一个名为source_bucket的存储桶启用服务器访问日志。在目标存储桶上,我已设置了权限:

{
    "Sid": "S3PolicyStmt-Dummy-11111111111111",
    "Effect": "Allow",
    "Principal": {
        "Service": "logging.s3.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::target_bucket/*"
}

其他条件:

  • 目标存储桶的策略中没有拒绝访问日志的设置
  • 目标存储桶上禁用了S3对象锁
  • 目标存储桶上的默认加密设置为SSE-KMS - 这里似乎存在问题。一旦我将其更改为SSE-S3,日志会在一段时间后显示,但使用KMS密钥时不会。
    KMS密钥具有以下策略:
{
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::${account_id}:root"
    },
    "Action": "kms:*",
    "Resource": "*"
}

我是否需要设置其他附加权限以使其正常工作?

英文:

I would like to enable Server access logs for a bucket (named it source_bucket). On the target bucket I've set the permissions:

        {
        "Sid": "S3PolicyStmt-Dummy-11111111111111",
        "Effect": "Allow",
        "Principal": {
            "Service": "logging.s3.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::target_bucket/*"
    }

other conditions:

  • there is no deny access to the logs in the policy of the target_bucket

  • S3 Object Lock on target_bucket disabled

  • Default encryption on the target_bucket set to SSE-KMS - and here looks like an issue to me. Once I've changed it to SSE-S3 the logs were presented after some time but with using KMS Key it doesn't.
    KMS Key has the following policy:

          {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::${account_id}:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      }
    

Do I need to set up some additional permissions to make it work?

答案1

得分: 1

日志由服务 logs.amazonaws.com 编写,因此您需要允许该服务解密 KMS。请将以下策略添加到 KMS 密钥中,并确保将 logs.region.amazonaws.com 上的区域更改为您正在使用的区域。

{
    "Effect": "Allow",
    "Principal": {
        "Service": "logs.region.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:Describe*"
    ],
    "Resource": "<您的 KMS 密钥的 ARN>"
}
英文:

The logs are written by the service logs.amazonaws.com so you need to allow the service to decrypt the KMS, add the following policy to the KMS key, make sure to change the region on logs.region.amazonaws.com to the one you are using.

  {
    &quot;Effect&quot;: &quot;Allow&quot;,
    &quot;Principal&quot;: {
        &quot;Service&quot;: &quot;logs.region.amazonaws.com&quot;
    },
    &quot;Action&quot;: [
        &quot;kms:Decrypt*&quot;,
        &quot;kms:ReEncrypt*&quot;,
        &quot;kms:Describe*&quot;
    ],
    &quot;Resource&quot;: &quot;&lt;arn of your KMS key&gt;&quot;
  }

答案2

得分: 1

谢谢furydrive提供的提示。对我有效的策略如下:

{
    "Sid": "允许AWS服务解密日志 - P2",
    "Effect": "允许",
    "Principal": {
        "Service": "logging.s3.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:Describe*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

我已将其添加到我使用的KMS密钥中。我使用的服务是:logging.s3.amazonaws.com,与用于在S3中存储数据的服务相同。除此之外,我还根据以下示例添加了2个更多的操作:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html(段落:Amazon S3桶服务器端加密)

英文:

Thank you furydrive for providing me a hint. What worked for me is the policy below:

{
        &quot;Sid&quot;: &quot;Allow  aws service to decrypt logs - P2&quot;,
        &quot;Effect&quot;: &quot;Allow&quot;,
        &quot;Principal&quot;: {
            &quot;Service&quot;: &quot;logging.s3.amazonaws.com&quot;
        },
        &quot;Action&quot;: [
            &quot;kms:Decrypt*&quot;,
            &quot;kms:ReEncrypt*&quot;,
            &quot;kms:Describe*&quot;,
            &quot;kms:GenerateDataKey*&quot;,
            &quot;kms:DescribeKey&quot;
        ],
        &quot;Resource&quot;: &quot;*&quot;
    }

I've added it to KMS Key, I've used.
Service I've used is: logging.s3.amazonaws.com
this is the same, which is used to store data in S3. Other then that I've added 2 more actions following this example:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html (paragraph: Amazon S3 bucket server-side encryption)

huangapple
  • 本文由 发表于 2023年7月17日 18:26:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76703550.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定