在S3存储桶策略中需要使用特定密钥ID进行KMS加密

Question

我试图要求将所有放入存储桶的对象都用特定的KMS密钥加密。我设法要求KMS加密，但关键规范不起作用。这是现行的政策我有（没有真正的斗名称和ID）：

{ 
    "Version": "2012-10-17", 
    "Id": "PutObjPolicy", 
    "Statement": [ 
     { 
      "Sid": "DenyInsecureCommunications", 
      "Effect": "Deny", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": "s3:*", 
      "Resource": "arn:aws:s3:::bucket1, 
      "Condition": { 
       "Bool": { 
        "aws:SecureTransport": "false" 
       } 
      } 
     }, 
     { 
      "Sid": "DenyIncorrectEncryptionHeader", 
      "Effect": "Deny", 
      "Principal": "*", 
      "Action": "s3:PutObject", 
      "Resource": "arn:aws:s3:::bucket1/*", 
      "Condition": { 
       "StringNotEquals": { 
        "s3:x-amz-server-side-encryption": "aws:kms", 
        "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-central-1:123456789:key/12345-123-notmy-keyid-1234566" 
       } 
      } 
     }, 

     { 
      "Sid": "DenyUnEncryptedObjectUploads", 
      "Effect": "Deny", 
      "Principal": "*", 
      "Action": "s3:PutObject", 
      "Resource": "arn:aws:s3:::bucket1/*", 
      "Condition": { 
       "Null": { 
        "s3:x-amz-server-side-encryption": "true" 
       } 
      } 
     } 
    ] 
} 

这正确拒绝上载未指定任何服务器端加密，但它仍然允许使用默认的S3键。

Answer 1

如果存在多个条件运算符，或者有多个键连接到单个条件运算符，则使用逻辑AND评估条件。

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition

这表明，如果两个字符串不相等的双条件政策只会否认（即，如果加密，不使用和密钥ID是错误的） 。

为 s3:x-amz-server-side-encryption和 s3:x-amz-server-side-encryption-aws-kms-key-id测试分成两个独立的Deny政策声明应的修补程序。