对于密码文本blob是如何用AWS KMS客户端解密的,我有点困惑。下面是AWS文档的一个示例:
// Encrypt a data key
//
// Replace the following fictitious CMK ARN with a valid CMK ID or ARN
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-
56ef-1234567890ab";
ByteBuffer plaintext = ByteBuffer.wrap(new byte[]{1
我的账户中有一个s3存储桶,它使用默认的aws-kms密钥启用了SSE。我希望为我的存储桶提供对另一个帐户的读取访问权限。
我已经通过以下链接提供了访问:
我正在使用aws s3 ls <s3://bucket_name>和aws s3 cp <path to s3 object> .下载对象
我尝试在没有启用SSE的情况下提供对存储桶的跨账号访问。我成功地检索到了存储桶详细信息并下载了对象。但是,当我尝试从启用了SSE存储桶中下载对象时,我得到了An error occurred (AccessDenied) when calling the GetObject op
所以我读了这个
Traditionally, keys have been managed in haphazard ways, from SCP-ing
keys around your instances to baking them into machine images. The safe
way to manage high-value keys has been to employ dedicated Hardware
Security Modules (HSMs), either on-premise or with the AWS CloudHSM
service. I