用于强制执行新 EBS 卷的 AWS IAM 策略已加密
AWS IAM policy to enforce new EBS volumes are encrypted
在 AWS Key Management Service Best Practices whitepaper 中,在使用 Amazon EBS 进行静态数据加密的部分中,它指出:
There are two methods to ensure that EBS volumes are always encrypted.
You can verify that the encryption flag as part of the CreateVolume
context is set to “true” through an IAM policy. If the flag is not
“true” then the IAM policy can prevent an individual from creating the
EBS volume
我该怎么做?我想该政策看起来像:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
根据白皮书和 docs,ec2:Encrypted 密钥上的 Bool 条件最有意义,但是在尝试创建加密卷时,我得到访问被拒绝。
我在声明中遗漏了什么?
您需要额外的权限才能创建加密卷:
1) ec2:DescribeAvailabilityZones
2) 公里:*
注意:我没有深入了解 KMS 以获得使用 KMS 加密密钥的最低权限。如果要从快照创建卷,则需要添加 ec2:DescribeSnapshots.
政策示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
约翰·汉利说得对
我最终使用的完整政策如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt2222222222222",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
},
{
"Sid": "Stmt1111111111111",
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:CreateTags",
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Sid": "allowKmsKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
]
}
]
}
"kms:encrypt" 单独不再适用于创建加密的 ebs。在以下链接中找到了可行的解决方案
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html
Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline
要在不执行通配符 kms 操作的情况下使用 ("kms":*),请在 Action
下包含以下内容
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
连同
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:EnableVolumeIO"
在 AWS Key Management Service Best Practices whitepaper 中,在使用 Amazon EBS 进行静态数据加密的部分中,它指出:
There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the
CreateVolumecontext is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume
我该怎么做?我想该政策看起来像:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
根据白皮书和 docs,ec2:Encrypted 密钥上的 Bool 条件最有意义,但是在尝试创建加密卷时,我得到访问被拒绝。
我在声明中遗漏了什么?
您需要额外的权限才能创建加密卷:
1) ec2:DescribeAvailabilityZones
2) 公里:*
注意:我没有深入了解 KMS 以获得使用 KMS 加密密钥的最低权限。如果要从快照创建卷,则需要添加 ec2:DescribeSnapshots.
政策示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
约翰·汉利说得对
我最终使用的完整政策如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt2222222222222",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
},
{
"Sid": "Stmt1111111111111",
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:CreateTags",
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Sid": "allowKmsKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
]
}
]
}
"kms:encrypt" 单独不再适用于创建加密的 ebs。在以下链接中找到了可行的解决方案
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html
Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline
要在不执行通配符 kms 操作的情况下使用 ("kms":*),请在 Action
下包含以下内容"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
连同
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:EnableVolumeIO"