科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>amazon web services - Cross-account live replication from S3 SSE-KMS-encrypted bucket to SSE-S3-encrypted bucket - Stack Overflo

    amazon web services - Cross-account live replication from S3 SSE-KMS-encrypted bucket to SSE-S3-encrypted bucket - Stack Overflo

    programmeradmin1浏览0评论

    We are trying to configure cross-account replication of objects from a bucket with SSE-KMS encryption to a bucket with the default SSE-S3 encryption.

    We have a working configuration for replication going the other way around (SSE-S3 to SSE-KMS), but are encountering difficulties with the SSE-KMS to SSE-S3 scenario.

    Some details about what we have found out so far:

    • SSE-KMS-encrypted objects aren't replicated by default. This has to be explicitly enabled on the replication configuration page in the AWS Console under the "Replication" section, by ticking the checkbox labeled "Replicate objects encrypted with AWS Key Management Service (AWS KMS). Replicate SSE-KMS and DSSE-KMS encrypted objects."
    • When ticking that checkbox, we now also have to to fill in an "AWS KMS key for encrypting destination objects."
    • Ticking the "Info" helper link next to "AWS KMS key for encrypting destination objects" opens up a documentation panel that explicitly states that we can "use the default AWS managed key (aws/s3).", but this option is never offered anywhere.
    • We tried to fill in the SSE-S3 key alias for the destination bucket's account (arn:aws:kms:$DESTINATION_BUCKET_REGION:$DESTINATION_ACCOCUNT_ID:alias/aws/s3), which is accepted, but no objects get replicated. Presumably this is because this is a cross-account operation, and the source account doesn't have access to use the destination account's key.
    • We tried to specify an actual key created in the destination account in the bucket's region under the Key Management Service (KMS) page, but then the objects will just end up encrypted with that KMS key (requiring all consumers of the data to also have KMS permissions in order to read the object, which is what we wanted to avoid in the first place).

    It's so strange that you can replicate from a SSE-S3-encrypted bucket to a SSE-KMS-encrypted one without explicitly being granted KMS permissions, but doing it the other way around is such a pain.

    Is there any way to get this to work, or at least get confirmation that is it impossible? Thank you.

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论