我正在使用Amazon SES接收电子邮件,然后通过一组规则将这些邮件存储在Amazon S3中。然后,我的Java程序检索这些邮件。
整个过程目前运作良好。当我尝试加密电子邮件时出现问题...
以下是我的流程步骤:
- SES接收电子邮件
- SES使用KMS密钥对电子邮件进行加密(感谢SES规则集)。
- SES将电子邮件存储在Amazon S3上
- 我的Java应用程序从S3中检索邮件。
但是,当我调用S3检索电子邮件时,会出现以下错误:
com.amazonaws.services.kms.model.AWSKMSException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 8de11099-1706-11e8-a931-c7b8c61f94bc)
如此错误所述,我认为用于检索S3对象的用户无权访问用于加密消息的密钥。但据我了解Amazon政策的工作方式,我相信一切都是正确的(显然不是这样)。
有人知道我做错了什么或者我可以尝试什么来使其工作吗?
下面是关于当前配置的信息,例如我的用户和KMS密钥的策略,以及我正在使用的Java代码。
区域
The S3 bucket is in EU_WEST_1 (Ireland)
The key has been created in the EU_WEST_1 (Ireland) region
用户策略(详见附图)
此处使用的用户名称为delivery
AmazonS3FullAccess
AWSKeyManagementServicePowerUser
密钥策略
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333444:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"AIDAIEIV9CCM6CQJBN7HA",
"arn:aws:iam::111222333444:user/delivery"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"AIDAIEIV9CCM6CQJBN7HA",
"arn:aws:iam::111222333444:user/delivery"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"AIDAIEIV9CCM6CQJBN7HA",
"arn:aws:iam::111222333444:user/delivery"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "AllowSESToEncryptMessagesBelongingToThisAccount",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:ses:source-account": "111222333444"
},
"Null": {
"kms:EncryptionContext:aws:ses:rule-name": "false",
"kms:EncryptionContext:aws:ses:message-id": "false"
}
}
}
]
}
S3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts-111222333444",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::received-emails.my-company-name/*",
"Condition": {
"StringEquals": {
"aws:Referer": "111222333444"
}
}
}
]
}
Java 代码
private static void getS3Object() {
// Use credentials to login.
BasicAWSCredentials awsCred = new BasicAWSCredentials("user access key", "user secret");
AWSCredentialsProvider credentialProvider = new AWSStaticCredentialsProvider(awsCred);
KMSEncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider("id of the key");
AmazonS3Encryption s3Client = AmazonS3EncryptionClientBuilder
.standard()
.withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly))
.withEncryptionMaterials(materialsProvider)
.withCredentials(credentialProvider)
.withRegion(Regions.EU_WEST_1).build();
// Get the object from S3
GetObjectRequest request = new GetObjectRequest(new S3ObjectId("Bucket name", "Object key"));
S3Object object = s3Client.getObject(request);
}
感谢您提前提供帮助!
.withRegion之外,您还需要提供CryptoConfiguration().withAwsKmsRegion()。 - eugenevd