复制和加密 AMI 所需的 AWS 权限

Question

我正在尝试将 AMI 从一个 AWS 账户复制到另一个账户并使用目标账户中的 CMK 对其进行加密。

CMK 上的关键策略是：

{
  "Version": "2012-10-17",
  "Id": "key-default",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::TARGET-ACCOUNT-NUMBER:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

我已经使用以下策略在目标账户中创建了一个角色：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:ListAliases",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:Encrypt",
                "ec2:CopyImage"
            ],
            "Resource": "*"
        }
    ]
}

此角色还附加了 AmazonEC2ReadOnlyAccess 政策。

如果我登录根账户并担任目标账户中的角色，然后尝试使用我的 CMK 复制 AMI，它会失败并显示 Snapshot snap-abc123xyz is in an unexpected state: error。快照上没有其他信息来指示根本原因。

如果我将 AdministratorAccess 策略附加到 AMI 复制的角色，那么这一定是权限问题。

有人可以提供复制加密 AMI 所需的权限列表吗？

Answer 1

来自此博客：https://aws.amazon.com/blogs/aws/new-cross-account-copying-of-encrypted-ebs-snapshots/

"Target Account – The IAM user or role in the target account needs to be able perform the DescribeKey, CreateGrant, and Decrypt operations on the key associated with the original snapshot. The user or role must also be able to perform the CreateGrant, Encrypt, Decrypt, DescribeKey, and GenerateDataKeyWithoutPlaintext operations on the key associated with the call to CopySnapshot."

此外，我相信这就是您要找的：https://aws.amazon.com/blogs/security/how-to-create-a-custom-ami-with-encrypted-amazon-ebs-snapshots-and-share-it-with-other-accounts-and-regions/

复制和加密 AMI 所需的 AWS 权限

AWS permissions required to copy and encrypt AMI

amazon-ec2

amazon-web-services

ec2-ami

amazon-iam

aws-kms