在KMS 中有亚马逊别名密钥(例如/alias/aws/s3)和客户主密钥(CMK)。
对于每个开发团队,我都有一些带有别名的 CMK(例如/alias/team1/default,/alias/team1/confidential)
我想允许访问所有 IAM 用户/组/角色的 aws 别名密钥,但提供对团队级别密钥的团队级别访问权限
尝试允许访问 aws 托管密钥时出现了我的问题
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"kms:*"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
},
{
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-1:111111111111:alias/aws/*",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
}
]
}
为了提供隐含的拒绝iam:*和kms:*,但允许访问AWS化名键
使用 IAM 策略模拟器时,我似乎必须提供对完整密钥 arn ( arn:aws:kms:us-east-1:111111111111:key/abcd123-acbd-1234-abcd-acbcd1234abcd …