Bob not only needed permission to the S3 bucket but also needed permission to use Alice’s KMS key to decrypt the data. The first thing that had to be considered was that enabling proper cross-account S3 access would not be sufficient.
SolutionĪfter reading through the documentation, I came up with a solution. Alice was writing data into her bucket and Bob wanted to copy this encrypted data into his own S3 bucket and encrypt it with his own key in order to do further analysis on the data. Alice’s S3 bucket was encrypted with her KMS key while Bob’s S3 bucket was encrypted with his own KMS key. In addition to the buckets’ being located in different AWS accounts, the contents of both buckets had to be encrypted. The request was to copy a file from Alice’s S3 bucket located in her AWS account into an S3 bucket located in a Bob’s AWS account. For simplicity, I would refer to the first AWS account as Alice’s account and the second AWS account as Bob’s account. I was recently presented with an interesting problem to solve for one of our clients. Despite Amazon S3’s being only an object store storage solution, this service can be leveraged to support some pretty complex architectural designs and business requirements.
0 kommentar(er)
