https://dev.classmethod.jp/articles/s3-inventory-reinvent/
Amazon S3 インベントリは、ストレージ管理に役立つ Amazon S3 が提供するツールの 1 つです。
これは、ビジネス、コンプライアンス、および規制上のニーズに対応して、
オブジェクトのレプリケーションと暗号化のステータスを監査し、レポートするために使用できます。
最初のレポートが配信されるまでに最大で 48 時間かかることがあります。
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 2. S3 バケットを作成する
aws s3 mb s3://bucket123-1
aws s3 mb s3://bucket123-2
aws s3 ls
-- 3. KMSカスタマキーを作成する
{
"Id": "key01",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/iamuser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser"
]},
"Action": [
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser"
]}, "Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow Amazon S3 use of the KMS key",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition":{
"StringEquals":{
"aws:SourceAccount":"999999999999"
},
"ArnLike":{
"aws:SourceARN": "arn:aws:s3:::bucket123-1"
}
}
}
]
}
aws kms create-key \
--description key01 \
--policy file://key01.json
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"InventoryAndAnalyticsExamplePolicy",
"Effect":"Allow",
"Principal": {"Service": "s3.amazonaws.com"},
"Action":"s3:PutObject",
"Resource":["arn:aws:s3:::bucket123-2/*"],
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::bucket123-1"
},
"StringEquals": {
"aws:SourceAccount": "999999999999",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
aws s3api put-bucket-policy \
--bucket bucket123-2 \
--policy file://policy01.json
aws s3api get-bucket-policy \
--bucket bucket123-2
-- 5. インベントリ設定の作成
vim a.json
{
"Destination": {
"S3BucketDestination": {
"AccountId": "999999999999",
"Bucket": "arn:aws:s3:::bucket123-2",
"Format": "CSV",
"Encryption": {
"SSEKMS": {
"KeyId": "arn:aws:kms:ap-northeast-1:999999999999:key/11111111-2222-3333-4444-555555555555"
}
}
}
},
"IsEnabled": true,
"Id": "1",
"IncludedObjectVersions": "Current",
"OptionalFields": [
"Size",
"LastModifiedDate",
"StorageClass",
"ETag",
"IsMultipartUploaded",
"ReplicationStatus",
"EncryptionStatus",
"BucketKeyStatus",
"IntelligentTieringAccessTier",
"ObjectLockMode",
"ObjectLockRetainUntilDate",
"ObjectLockLegalHoldStatus"
],
"Schedule": {
"Frequency": "Daily"
}
}
aws s3api put-bucket-inventory-configuration \
--bucket bucket123-1 \
--id 1 \
--inventory-configuration file://a.json
aws s3api list-bucket-inventory-configurations \
--bucket bucket123-1
aws s3api get-bucket-inventory-configuration \
--bucket bucket123-1 \
--id 1
-- 6. テストファイルのアップロード
echo test01 > test01.txt
echo test02 > test02.txt
aws s3api put-object --bucket bucket123-1 --key test01.txt --body test01.txt
aws s3api put-object --bucket bucket123-1 --key test02.txt --body test02.txt
aws s3 ls s3://bucket123-1 --recursive
aws s3 ls s3://bucket123-2 --recursive
-- 7. 動作確認
2日程度待つ
aws s3 ls s3://bucket123-1 --recursive
aws s3 ls s3://bucket123-2 --recursive
aws s3 cp s3://bucket123-2/bucket123-1/1/2021-11-16T01-00Z/manifest.json -
aws s3 cp s3://bucket123-2/bucket123-1/1/data/6a62d3aa-7c76-4b2c-baef-c67c41728c31.csv.gz - | gzip -dc | head
-- 8. クリーンアップ
-- KMSキーの一覧
aws kms list-keys
-- KMSキーの削除
aws kms schedule-key-deletion \
--key-id arn:aws:kms:ap-northeast-1:999999999999:key/11111111-2222-3333-4444-555555555555 \
--pending-window-in-days 7
-- バケットの削除
aws s3 ls
aws s3 rb s3://bucket123-1 --force
aws s3 rb s3://bucket123-2 --force