如何让 AWS 跨账户 KMS 密钥发挥作用?
How do I get AWS cross-account KMS keys to work?
我正在尝试设置跨账户访问以允许外部账户使用我的 KMS 密钥来解密来自 S3 存储桶的数据。我已使用我认为正确的赠款设置了密钥、策略和角色,但我无法从外部帐户描述密钥。希望得到一些关于我做错了什么的意见。
账户 111:具有策略授予外部账户根 (999) 的密钥
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
帐户 999 中的角色附加了授予对来自 111 的密钥的访问权限的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
然而,当我使用 aws-shell:
在 999 中担任角色时
aws> kms describe-key --key-id=abc-def
An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
您的密钥、角色和策略设置正确。当您在不同 AWS 账户上的客户主密钥 (CMK) 上调用 describe-key 时,您必须在 key-id 参数的值中指定密钥 ARN 或别名 ARN。
To perform this operation on a CMK in a different AWS account, specify
the key ARN or alias ARN in the value of the KeyId parameter.
就是说,如果您执行以下操作,它将起作用:
aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
如果一切正常,请特别注意关键的政策条件。例如,下面的政策似乎允许访问 AccountA 以使用密钥。
{
"Sid": "Allow use of the key for SSM only",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"ssm.*.amazonaws.com",
"autoscaling.*.amazonaws.com"
]
}
}
},
{
"Sid": "Allow reading of key metadata",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
但是,如果您更仔细地检查条件,您会发现密钥的使用仅限于具有 "viaService" 条件的某些服务。
You can also use a kms:ViaService condition key to deny permission to use a CMK when the request comes from particular services.
更多信息AWS Doc Reference。
在这种情况下,密钥仅限于 ec2 和 auto-scaling。如果您从 ec2 实例执行 "aws kms describe-key" ,您将能够看到响应即将到来,但您将无法将其用于其他服务,如 AWS Secret Manager 等。换句话说,以下命令将失败相同的 ec2 实例。
aws secretsmanager create-secret --name MyTestSecret \
--description "My test database secret created with the CLI" \
--kms-key-id arn:aws:kms:GIVEN_KEY_ID
我正在尝试设置跨账户访问以允许外部账户使用我的 KMS 密钥来解密来自 S3 存储桶的数据。我已使用我认为正确的赠款设置了密钥、策略和角色,但我无法从外部帐户描述密钥。希望得到一些关于我做错了什么的意见。
账户 111:具有策略授予外部账户根 (999) 的密钥
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
帐户 999 中的角色附加了授予对来自 111 的密钥的访问权限的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
然而,当我使用 aws-shell:
在 999 中担任角色时aws> kms describe-key --key-id=abc-def
An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
您的密钥、角色和策略设置正确。当您在不同 AWS 账户上的客户主密钥 (CMK) 上调用 describe-key 时,您必须在 key-id 参数的值中指定密钥 ARN 或别名 ARN。
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
就是说,如果您执行以下操作,它将起作用:
aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
如果一切正常,请特别注意关键的政策条件。例如,下面的政策似乎允许访问 AccountA 以使用密钥。
{
"Sid": "Allow use of the key for SSM only",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"ssm.*.amazonaws.com",
"autoscaling.*.amazonaws.com"
]
}
}
},
{
"Sid": "Allow reading of key metadata",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
但是,如果您更仔细地检查条件,您会发现密钥的使用仅限于具有 "viaService" 条件的某些服务。
You can also use a kms:ViaService condition key to deny permission to use a CMK when the request comes from particular services.
更多信息AWS Doc Reference。
在这种情况下,密钥仅限于 ec2 和 auto-scaling。如果您从 ec2 实例执行 "aws kms describe-key" ,您将能够看到响应即将到来,但您将无法将其用于其他服务,如 AWS Secret Manager 等。换句话说,以下命令将失败相同的 ec2 实例。
aws secretsmanager create-secret --name MyTestSecret \
--description "My test database secret created with the CLI" \
--kms-key-id arn:aws:kms:GIVEN_KEY_ID