How do I resolve access denied issues when I export from DynamoDB to Amazon S3?
When I export Amazon DynamoDB table data into an Amazon Simple Storage Solution (Amazon S3), I get an "Access denied" error.
Short description
If you get an AccessDenied error when you export, then your AWS Identity and Access Management (IAM) entity might not have the correct permissions. To export DynamoDB table data from a point within your point-in-time recovery (PITR) window, use DynamoDB export to S3. You can use this feature for AWS accounts that use either of the following data protection methods:
- Advanced Encryption Standard (AES)
- AWS Key Management Service (AWS KMS) customer managed keys
Resolution
Note: Run all AWS Command Line Interface (AWS CLI) commands from the account where the DynamoDB table is located. If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Prerequisites:
- Complete the prerequisites to request a table export in DynamoDB.
- Review your bucket policies for explicit deny actions. In the following example use cases, the bucket policies can't have any explicit deny actions.
AES
To export DynamoDB table data to an Amazon S3 bucket in the same account, run the following command:
aws dynamodb export-table-to-point-in-time \ --table-arn <Table ARN> \ --s3-bucket <S3 bucket name> \ --export-format <Export format> \ --s3-sse-algorithm AES256
To export DynamoDB table data to an Amazon S3 bucket in a different account, run the following command:
aws dynamodb export-table-to-point-in-time \ --table-arn <Table ARN> \ --s3-bucket <Cross account S3 bucket name> \ --s3-bucket-owner <Cross account ID> \ --export-format <Export format> \ --s3-sse-algorithm AES256
AWS KMS customer managed key
For accounts that use an AWS KMS customer managed key, update the AWS KMS customer managed key policy. The key policy must allow the IAM entity to access the AWS KMS key.
Example policy:
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account ID>:root" }, "Action": "kms:*", "Resource": "*" } ] }
Also, the IAM entity must have permissions to access the AWS KMS key that's used to perform the export.
Example AWS KMS key permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "<Provide KMS key ARN>" } ] }
To use an AWS KMS customer managed key to export to an S3 bucket within the same account, run the following command:
aws dynamodb export-table-to-point-in-time \ --table-arn <Table ARN> \ --s3-bucket <S3 bucket name> \ --export-format <Export format> \ --s3-sse-algorithm KMS \ --s3-sse-kms-key-id <KMS key ARN>
To use an AWS KMS customer managed key to export to an S3 bucket in different account, run the following command:
aws dynamodb export-table-to-point-in-time \ --table-arn <Table ARN> \ --s3-bucket <Cross account S3 bucket name> \ --s3-bucket-owner <Cross account ID> \ --export-format <Export format> \ --s3-sse-algorithm KMS \ --s3-sse-kms-key-id <KMS key ARN>
To access exported table data for users in different accounts, update the AWS KMS key policy in the DynamoDB source account. To access exported objects, the AWS KMS key policy must grant the user permission to use the kms:Decrypt command.
Example AWS KMS key policy:
{ "Sid": "Enable cross account IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "<Provide ARN of destination account user>" }, "Action": "kms:", "Resource": "*" }
Additional troubleshooting
After you verify all permissions, if you still get the AccessDenied error message, then check if your organization has service control policies (SCPs). If your organization has SCPs, then detach or update the policy.
Related information
Requesting a table export in DynamoDB
How do I provide cross-account access to objects that are in Amazon S3 buckets?
相关内容
- 已提问 1 个月前lg...
- AWS 官方已更新 3 年前
- AWS 官方已更新 3 年前