新的密钥策略将不允许您以后更新密钥策略
The new key policy will not allow you to update the key policy in the future
标题说明了一切。每当我尝试通过 AWS CloudFormation 模板创建 KMS 密钥时,都会收到此错误。我正在以具有管理权限的 IAM 用户身份创建模板,并且我希望密钥可以由具有 KMS 权限的同一 AWS 账户中的任何 IAM 用户管理。我正在为密钥使用以下 YAML 资源定义:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Principal:
AWS: <Principle>
然而,<Principal> 的以下值中的 NONE 正在工作,即使我尝试以 root 用户身份创建堆栈!
!Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]!Join [ "", [ "arn:aws:sts::", !Ref "AWS::AccountId", ":root" ] ]!Ref "AWS::AccountId"
我不能只对 Principal 的用户名进行硬编码,因为我希望具有堆栈创建权限的任何人都可以实例化此模板。有谁知道如何解决这种非常令人沮丧的情况?提前致谢。
编辑:
我应该提一下,我不再在 CloudFormation 模板中定义 KMS 密钥策略。事实上,我现在完全避免在我的 CF 模板中定义 any 安全资源,例如 IAM 实体、策略和 ACM 证书。 GitHub issue.
中描述了我这样做的原因
您缺少 Resource: "*" 属性。这对我有用:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
Resource: "*" is required and is the only possible value:
Resource – (Required) In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to.
请参阅 https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/ 示例。
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action: kms:*
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
这个策略有点危险,因为它给了账户下的任何用户或角色kms:decrypt解密和查看密钥的权限,这是不安全的,而且渗透测试失败。
如果要取消解密权限。
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/sudo
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action:
- kms:List*
- kms:Get*
- kms:Encrypt
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
通过这种方式,我将除 decrypt 之外的所有其他权限授予 sudo 和 admin 角色(确保您拥有这些角色)
并且我正在向具有列表、获取和加密权限的角色和用户提供列表、获取和加密权限。
我在尝试通过 lambda 创建 CMK 时遇到了同样的错误。因此,我在创建密钥时在密钥策略中添加了 lambda 角色 arn。
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn of lambda role"
}
}
如果这对某人有帮助,请注意 https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
中的备注
Important: Be sure that the key policy that you create allows the current user to administer the CMK.
我在从管道部署模板时遇到了这个问题,建议的解决方案对我不起作用。用于部署模板的角色具有相应的kms权限,但它也需要在密钥策略的主体中!
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/PipelineRole
标题说明了一切。每当我尝试通过 AWS CloudFormation 模板创建 KMS 密钥时,都会收到此错误。我正在以具有管理权限的 IAM 用户身份创建模板,并且我希望密钥可以由具有 KMS 权限的同一 AWS 账户中的任何 IAM 用户管理。我正在为密钥使用以下 YAML 资源定义:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Principal:
AWS: <Principle>
然而,<Principal> 的以下值中的 NONE 正在工作,即使我尝试以 root 用户身份创建堆栈!
!Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]!Join [ "", [ "arn:aws:sts::", !Ref "AWS::AccountId", ":root" ] ]!Ref "AWS::AccountId"
我不能只对 Principal 的用户名进行硬编码,因为我希望具有堆栈创建权限的任何人都可以实例化此模板。有谁知道如何解决这种非常令人沮丧的情况?提前致谢。
编辑:
我应该提一下,我不再在 CloudFormation 模板中定义 KMS 密钥策略。事实上,我现在完全避免在我的 CF 模板中定义 any 安全资源,例如 IAM 实体、策略和 ACM 证书。 GitHub issue.
中描述了我这样做的原因您缺少 Resource: "*" 属性。这对我有用:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
Resource: "*" is required and is the only possible value:
Resource – (Required) In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to.
请参阅 https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/ 示例。
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action: kms:*
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
这个策略有点危险,因为它给了账户下的任何用户或角色kms:decrypt解密和查看密钥的权限,这是不安全的,而且渗透测试失败。
如果要取消解密权限。
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/sudo
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action:
- kms:List*
- kms:Get*
- kms:Encrypt
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
通过这种方式,我将除 decrypt 之外的所有其他权限授予 sudo 和 admin 角色(确保您拥有这些角色)
并且我正在向具有列表、获取和加密权限的角色和用户提供列表、获取和加密权限。
我在尝试通过 lambda 创建 CMK 时遇到了同样的错误。因此,我在创建密钥时在密钥策略中添加了 lambda 角色 arn。
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn of lambda role"
}
}
如果这对某人有帮助,请注意 https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
中的备注Important: Be sure that the key policy that you create allows the current user to administer the CMK.
我在从管道部署模板时遇到了这个问题,建议的解决方案对我不起作用。用于部署模板的角色具有相应的kms权限,但它也需要在密钥策略的主体中!
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/PipelineRole