AWS CloudFormation - 在 AWS::KMS::Key 中正确使用默认密钥策略
AWS CloudFormation - Correct Usage of Default Key Policy in AWS::KMS::Key
我正在尝试使用默认密钥策略部署 KMS CMK。根据文档,如果您在创建密钥时未指定策略,AWS 将使用 默认密钥策略 。但是,使用 CloudFormation 时,需要 属性 KeyPolicy。有人知道如何在 KeyPolicy 语句中指定默认策略还是我遗漏了什么?
我正在尝试创建一个 AWS::KMS::Key 资源,根据 documentation 应该能够使用 默认密钥策略 作为 KeyPolicy 属性,但是,如文档所述:
If you are unsure of which policy to use, consider the default key policy. This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide.
不幸的是,KeyPolicy 资源被标记为具有必需值,而使用默认密钥策略明确要求不传递任何值。 当需要传递值时,如何使用 KeyPolicy 属性 中的默认密钥策略?
对此进行更多研究后,看来处理此问题的正确方法是将默认密钥策略强加的等效项传递到实际的 CloudFormation 属性。
在默认密钥策略中考虑以下 documentation:
The following default key policy statement is critical.
It gives the AWS account that owns the KMS key full access to the KMS
key.
Unlike other AWS resource policies, a AWS KMS key policy does not
automatically give permission to the account or any of its users. To
give permission to account administrators, the key policy must include
an explicit statement that provides this permission, like this one.
It allows the account to use IAM policies to allow access to the KMS
key, in addition to the key policy.
Without this permission, IAM policies that allow access to the key are
ineffective, although IAM policies that deny access to the key are
still effective.
It reduces the risk of the key becoming unmanageable by giving access
control permission to the account administrators, including the
account root user, which cannot be deleted.
The following key policy statement is the entire default key policy
for KMS keys created programmatically. It's the first policy statement
in the default key policy for KMS keys created in the AWS KMS console.
最后一行特别揭示了答案:
以下密钥策略语句是以编程方式创建的 KMS 密钥的完整默认密钥策略。这是在 AWS KMS 控制台中创建的 KMS 密钥的默认密钥策略中的第一个策略语句。
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
因此,由于 CloudFormation AWS::KMS::Key 中的 KeyPolicy 字段是必需的,因此要传递默认密钥策略,您需要提交上面通常会为您创建的代码块(如果您在没有显式 KeyPolicy 的情况下调用 KMS API)。
我正在尝试使用默认密钥策略部署 KMS CMK。根据文档,如果您在创建密钥时未指定策略,AWS 将使用 默认密钥策略 。但是,使用 CloudFormation 时,需要 属性 KeyPolicy。有人知道如何在 KeyPolicy 语句中指定默认策略还是我遗漏了什么?
我正在尝试创建一个 AWS::KMS::Key 资源,根据 documentation 应该能够使用 默认密钥策略 作为 KeyPolicy 属性,但是,如文档所述:
If you are unsure of which policy to use, consider the default key policy. This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide.
不幸的是,KeyPolicy 资源被标记为具有必需值,而使用默认密钥策略明确要求不传递任何值。 当需要传递值时,如何使用 KeyPolicy 属性 中的默认密钥策略?
对此进行更多研究后,看来处理此问题的正确方法是将默认密钥策略强加的等效项传递到实际的 CloudFormation 属性。
在默认密钥策略中考虑以下 documentation:
The following default key policy statement is critical.
It gives the AWS account that owns the KMS key full access to the KMS key.
Unlike other AWS resource policies, a AWS KMS key policy does not automatically give permission to the account or any of its users. To give permission to account administrators, the key policy must include an explicit statement that provides this permission, like this one.
It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
Without this permission, IAM policies that allow access to the key are ineffective, although IAM policies that deny access to the key are still effective.
It reduces the risk of the key becoming unmanageable by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
The following key policy statement is the entire default key policy for KMS keys created programmatically. It's the first policy statement in the default key policy for KMS keys created in the AWS KMS console.
最后一行特别揭示了答案:
以下密钥策略语句是以编程方式创建的 KMS 密钥的完整默认密钥策略。这是在 AWS KMS 控制台中创建的 KMS 密钥的默认密钥策略中的第一个策略语句。
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
因此,由于 CloudFormation AWS::KMS::Key 中的 KeyPolicy 字段是必需的,因此要传递默认密钥策略,您需要提交上面通常会为您创建的代码块(如果您在没有显式 KeyPolicy 的情况下调用 KMS API)。