管理员无法在 AWS KMS 中加密/解密
mat*_*mat 5 amazon-web-services amazon-iam amazon-kms aws-policies
我正在 AWS 中使用密钥管理服务 (KMS),目前正在设置密钥策略。
我创建了两个角色KmsUser和KmsAdmin并将以下密钥策略附加到我的 CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS KeyAdmin access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsAdmin",
"arn:aws:iam::1234567890:user/myadmin"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "KMS KeyUser access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
问题是,现在如果我尝试使用我的密钥作为myadmin用户(附加了AdministratorAccess策略),我会在 CLI 中收到错误消息:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS KeyAdmin access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsAdmin",
"arn:aws:iam::1234567890:user/myadmin"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "KMS KeyUser access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
特别奇怪的是,IAM 策略模拟器告诉我一切都应该按预期工作:
如果我手动将myadmin用户添加为关键用户策略的主体,则一切正常。
您需要将这样的声明添加到您的关键策略中:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "kms:*",
"Resource": "*"
}
这允许账户有权访问该密钥,这是启用 IAM 对其进行访问所必需的。
| 归档时间: |
|
| 查看次数: |
14723 次 |
| 最近记录: |