了解 kms 政策？

Question

我有一个名为 group-dev 的 IAM 组，并且有几个用户附加到该组，我有自定义 IAM 策略（如下）。仅此 IAM 策略是否足以让该组中的用户加密和列出 kms 密钥？

\n

基本上我的目标是创建 IAM 组，并将策略附加到几个用户，当添加新用户时，我不想做双重工作，例如将它们添加到组中，然后将它们添加到 kms 密钥策略中。那么它适用于以下政策吗？

\n

IAM 组内联策略

\n

{\n      "Action": [\n        "kms:List*",\n        "kms:Encrypt",\n        "kms:Decrypt",\n        "kms:Describe*",\n        "kms:Get*"\n      ],\n      "Effect": "Allow",\n      "Resource": "*"\n    },\n\nkms policy \n\n\n{\n    "Id": "key-consolepolicy",\n    "Version": "2012-10-17",\n    "Statement": [\n        {\n            "Sid": "Enable IAM User Permissions",\n            "Effect": "Allow",\n            "Principal": {\n                "AWS": "arn:aws:iam::xxxxxxxxxx:root"\n            },\n            "Action": "kms:*",\n            "Resource": "*"\n        }\n

\n

以下是 aws 文档的片段：https ://docs.amazonaws.cn/en_us/kms/latest/developerguide/kms-dg.pdf#page=95&zoom=100,96,105

\n

Allowing multiple IAM users to access a CMK\nIAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of\nthe following:\n\xe2\x80\xa2 Add each IAM user to the key policy. This approach requires that you update the key policy each time\nthe list of authorized users changes.\n\xe2\x80\xa2 Ensure that the key policy includes the statement that enables IAM policies to allow access to the\nCMK (p. 72). Then create an IAM policy that allows access to the CMK, and then attach that policy to\nan IAM group that contains the authorized IAM users. Using this approach, you don\'t need to change\nany policies when the list of authorized users changes. Instead, you only need to add or remove those\nusers from the appropriate IAM group.\n

\n

貌似有矛盾的说法，还是我理解错了？

\n

. Enables IAM policies to allow access to the CMK.\nIAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them\nin combination with a CMK\'s key policy if the key policy enables it. Giving the AWS account full\naccess to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the\naccount access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it\nenables you to use IAM policies to do so. For more information, see Managing access to AWS KMS\nCMKs (p. 69).\n

\n

Answer 1

首先比较它们如何协同工作，每个 CMK（客户管理密钥）都是使用密钥策略创建的，该策略限制哪个委托人（操作的调用者，即 IAM 角色/IAM 用户/服务）可以访问它（以及委托人将获得的权限）有）。无论您授予哪种 IAM 权限，如果您的密钥策略不允许该权限，则任何 IAM 用户（包括根用户）都无法执行该操作。

附加到用户的 IAM 策略将授予用户可以执行的最大权限。评估操作时，也会评估关键策略权限，如果两个策略都允许该权限，则将允许委托人执行该操作。

总之，对于 KMS，密钥策略和 IAM 策略权限都必须允许访问。您拥有的权限将允许用户拥有对 KMS 密钥的大部分访问权限。