我啟用了 Amazon Macie,並嘗試為敏感資料發現結果設定 Amazon Simple Storage Service (Amazon S3) 儲存庫。但收到了類似以下內容的錯誤:
「putClassificationExportConfiguration:由於您沒有存取 S3 儲存貯體、KMS 金鑰或兩者的權限,因此操作無法執行。」
簡短描述
此錯誤訊息表示有與 Macie 有關的許可設定問題。
解決方案
檢查 Amazon S3 儲存貯體、AWS Key Management Service (KMS) 金鑰以及 AWS Identity and Access Management (IAM) 政策的許可。
IAM 許可
1. 開啟 IAM console,然後選擇 Users (使用者)。
2. 選擇 User name (使用者名稱),然後選擇 Permissions (許可) 索引標籤。
3. 確認允許使用者執行以下 API 動作:
macie2:PutClassificationExportConfiguration s3:CreateBucket s3:GetBucketLocation s3:ListAllMyBuckets s3:PutBucketAcl s3:PutBucketPolicy s3:PutBucketPublicAccessBlock s3:PutObject kms:ListAliases
如需詳細資訊,請參閱 驗證您的許可。
Amazon S3 許可
確認 Amazon S3 儲存貯體政策具有類似以下內容的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<BUCKET>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<BUCKET>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN OF KMS KEY>"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<BUCKET>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<BUCKET>/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<BUCKET>"
}
]
}
AWS KMS 許可
確認 AWS KMS key 政策具有類似以下內容的許可:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:macie2:Region:111122223333:export-configuration:*",
"arn:aws:macie2:Region:111122223333:classification-job/*"
]
}
}
}
如需詳細資訊,請參閱 錯誤疑難排解 。
**注意:**最佳實務是僅針對執行任務所需的許可授予最低權限。如需詳細資訊,請參閱授予最低權限 。
相關資訊
Amazon Macie 入門