- 最新
- 最多得票
- 最多評論
Is your bucket and/or objects within it set to use SSE-KMS encryption? If so, the KMS key policy must permit the kms:Decrypt
and kms:DescribeKey
actions either to the IAM role that is used to create backups or the entire AWS account (the ":root" principal of the account) that contains the IAM role. If the KMS key policy allows access to the account's ":root" principal or if the KMS key is in a different AWS account from the IAM role, the same permissions must additionally be permitted in one of the policies attached to the IAM role.
The policy statement can look like this, as it's expressed in the identity-based policy attached to the default backup role:
{ "Sid": "KmsPermissionsForBackup", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000000:role/s3-backup-role" }, "Action": ["kms:Decrypt", "kms:DescribeKey"], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "s3.*.amazonaws.com" } } }
and for restoring backups:
{ "Sid": "KmsPermissionsForRestore", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000000:role/s3-backup-role" }, "Action": ["kms:DescribeKey","kms:GenerateDataKey","kms:Decrypt"], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "s3.*.amazonaws.com" } } }
If SSE-KMS encryption isn't used, then I suggest you first check that versioning is in the "enabled" state (not disabled or suspended) for the bucket and check if any "Deny" statements exist in the bucket policy that apply to the IAM role making the backups.
You mentioned in an earlier comment that SSE-KMS had been set for the bucket. When you change the bucket-level default encryption setting, it doesn't affect how the objects already in the bucket have been encrypted. All the objects previously placed there are probably encrypted with SSE-KMS, which you can verify by opening an individual object's properties in the console and checking what is says about the object's encryption characteristics, and in the absence of the necessary permissions in the KMS key policy, AWS Backup won't be able to decrypt the objects to back them up.
相關內容
- 已提問 6 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前