如何解决 Amazon Macie 中的错误讯息 "putClassificationExportConfiguration"?

2 分钟阅读
0

我启用了 Amazon Macie,并尝试为敏感数据发现结果配置一个 Amazon Simple Storage Service (Amazon S3) 存储库。但是,我收到了与以下内容类似的错误消息: "putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both."

简短描述

此错误消息意味着 Macie 存在权限配置问题。

解决方法

检查 Amazon S3 存储桶、AWS Key Management Service (AWS KMS) 密钥和 AWS 身份和访问管理 (IAM) 策略的权限。

IAM 权限

1.    打开 IAM 控制台,然后选择用户

2.    选择用户名,然后选择权限选项卡。

3.    验证是否允许用户执行以下 API 操作:

macie2:PutClassificationExportConfiguration s3:CreateBucket s3:GetBucketLocation s3:ListAllMyBuckets s3:PutBucketAcl s3:PutBucketPolicy s3:PutBucketPublicAccessBlock s3:PutObject kms:ListAliases

有关更多信息,请参阅验证您的权限

Amazon S3 权限

确保 Amazon S3 存储桶策略具有与以下内容类似的权限:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Deny non-HTTPS access",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::<BUCKET>/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Sid": "Deny incorrect encryption header. This is optional",
      "Effect": "Deny",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<BUCKET>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN OF KMS KEY>"
        }
      }
    },
    {
      "Sid": "Deny unencrypted object uploads. This is optional",
      "Effect": "Deny",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<BUCKET>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "Allow Macie to upload objects to the bucket",
      "Effect": "Allow",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<BUCKET>/*"
    },
    {
      "Sid": "Allow Macie to use the getBucketLocation operation",
      "Effect": "Allow",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:GetBucketLocation",
      "Resource": "arn:aws:s3:::<BUCKET>"
    }
  ]
}

AWS KMS 权限

确保 AWS KMS 密钥策略具有与以下内容类似的权限:

{
  "Sid": "Allow Macie to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "macie.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey",
    "kms:Encrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "111122223333"
    },
    "ArnLike": {
      "aws:SourceArn": [
        "arn:aws:macie2:Region:111122223333:export-configuration:*",
        "arn:aws:macie2:Region:111122223333:classification-job/*"
      ]
    }
  }
}

有关更多信息,请参阅对错误进行问题排查

**注意:**最佳实践是对于执行任务所需的权限,只授予最低权限。有关更多信息,请参阅授予最低权限


相关信息

Amazon Macie 入门

AWS 官方
AWS 官方已更新 2 年前