Terraform - aws_kms_key 抛出 MalformedPolicyDocumentException
Terraform - aws_kms_key throwing MalformedPolicyDocumentException
我正在为我们的客户账户实施一些 AWS 安全策略。我计划通过 Terraform 部署它们,从而使用 aws_kms_key 资源为 CloudTrail 加密创建一些 KMS 密钥。这是我的代码的样子:
resource "aws_kms_key" "trail" {
description = "KMS Key for CloudTrails encryption"
enable_key_rotation = true
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
EOF
}
但是那抛出..
aws_kms_key.trail: MalformedPolicyDocumentException: status code:
400, request id: a1e22d67-327f-11e8-8db1-195a2ed24241
应用时。有人可以帮忙吗?
提前致谢。
最后一条语句重复了 Condition 键。如果您想要多个条件,请在一个条件内创建它。
我正在为我们的客户账户实施一些 AWS 安全策略。我计划通过 Terraform 部署它们,从而使用 aws_kms_key 资源为 CloudTrail 加密创建一些 KMS 密钥。这是我的代码的样子:
resource "aws_kms_key" "trail" {
description = "KMS Key for CloudTrails encryption"
enable_key_rotation = true
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringNotLike": {
"aws:userid": [
"${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
]
}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
EOF
}
但是那抛出..
aws_kms_key.trail: MalformedPolicyDocumentException: status code: 400, request id: a1e22d67-327f-11e8-8db1-195a2ed24241
应用时。有人可以帮忙吗?
提前致谢。
最后一条语句重复了 Condition 键。如果您想要多个条件,请在一个条件内创建它。