通过复制规则进行跨账户 S3 存储桶复制

Question

我有两个桶：

• “source-bucket”（在 AWS 账户 88888888 中）。
• “destination-bucket”（在 AWS 账户 99999999 中）

两个存储桶都启用了版本控制，并且位于同一区域 (eu-west-1)。

在源存储桶中，我创建了一个具有以下设置的复制规则：

我选择了自动创建角色，它使用以下策略创建了一个角色：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket",
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket",
                "arn:aws:s3:::destination-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket/*"
            ]
        }
    ]
}

根据此处找到的文档https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html ，我在“destination-bucket”中添加了一个bucket策略，如下所示：

{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::destination-bucket/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket"
        }
    ]
}

但是，当我将文件添加到源存储桶时，似乎没有任何反应。 有谁知道这里可能出了什么问题？

Answer 1

AWS 文档在这里并不是最好的。从您的图片中，我看到您已启用设置“将对象所有权更改为目标存储桶所有者”（大多数人都会这样做）。 但是，这需要在目标端获得额外的权限，才能赋予他们所有权。 s3:ObjectOwnerOverrideToBucketOwner

以下政策应该适合您

{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::destination-bucket/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket"
        }
    ]
}

为了调试这个问题，我使用aws s3api head-object --bucket <bucket> --key <prefix> --query ReplicationStatus 来查看复制失败，然后我在目标端添加了s3:* 权限，以查看是否是权限问题。在这种情况下它是。

Answer 2

检查这是否有帮助。

默认情况下，Amazon S3 不会使用 AWS Key Management Service (AWS KMS) 客户主密钥 (CMK) 的服务器端加密复制静态存储的对象。要复制加密对象，您需要修改存储桶复制配置以告知 Amazon S3 复制这些对象。

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-4.html