- 最新
- 最多得票
- 最多評論
Have you tried with a Service Control Policy and add Condition to not apply to a specific path? Just an idea as I haven’t tested that approach.
I got help from AWS Support on this (thanks, Manish!). The trick is the NotResource
clause, which I'd never noticed in the documentation before:
{
"Sid": "DenyWrongKey",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"NotResource": "arn:aws:s3:::MYBUCKET/redshift_exports/*",
"Condition": {
"ArnNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:REGION:ACCOUNT:key/KEY_ID"
}
}
},
{
"Sid": "RequireRedshiftBehaviorInRedshiftPrefix",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/redshift_exports/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
This does exactly what we wanted:
- If the PutObject is inside the Redshift prefix, it must have the behavior redshift does.
- If it's outside the Redshift prefix, it must be encrypted with the default CMK for this bucket.
Of course, having to use 3 NOTs to make an assertion isn't exactly intuitive (Deny, NotResource, ArnNotEquals). It also doesn't generalize well for default cases; e.g., it's hard to write a rule that says "if the x-amx-acl argument exists, it must have value 'bucket-owner-full-control'", because ...IfExists doesn't work in DENY. The ArnNotEquals works above because in the default case, S3 still acts like that header was provided.
相關內容
- 已提問 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前
Thanks! I might have gone down that route, but all I needed in the end was NotResource.