使用不同 AWS 账户拥有的 CMK 在 Auto Scaling 组中使用加密的 EBS 卷
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
我正在尝试使用 AWS 中的 Auto Scaling 组来创建和管理从具有加密快照的 AMI 创建的实例,这些实例已由不同 AWS 账户拥有的 CMK 加密。
我一直收到错误 "Client.InternalError: Client error on launch"。根据 https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-instancelaunchfailure.html#ts-as-instancelaunchfailure-12 处的场景 2,我需要使用 Auto Scaling 组服务相关角色作为被授权委托人创建对 CMK 的授权。
我尝试按照 AWS 文档和 https://forums.aws.amazon.com/thread.jspa?threadID=277523 中的指导方针设置赠款。
但是,我不断收到 AccessDeniedException,说我的用户无权在 CMK 上执行 kms:CreateGrant。
我觉得我完全按照说明操作了,但它不起作用。我希望有人能够提供一些见解。
我和一位 AWS 员工聊天,他 运行 遇到了同样的问题,直到他重新阅读论坛 post。 Case 2 Step 4中的关键行是"The kms:GrantIsForAWSResource condition is not included to allow an IAM user or role in account 111122223333 to create the grant in the next step.".
换句话说,您需要从客户管理的 CMK 的默认密钥策略中删除此条件。
说明本可以使该要求更加明确,但从技术上讲它已经存在并且可以解决问题。
编辑:为澄清起见,我将在下面包含默认值和修改后的 JSON。
以下是 https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
处显示的默认密钥策略
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
关键是删除 "kms:GrantIsForAWSResource" 的条件,如下所示。
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
阅读您提供的有用信息后,我能够解决它,所以我决定 post 也将我的发现分享给其他人。
这正是我为允许 "SharedAccountId" 帐户访问和使用自定义 KMS 密钥 (CMK) 所做的工作。"SharedAccountId"。
对于这个例子,假设 "dev" 帐户在 us-west-2 中,"SharedAccount" 在 us-east-1 中。
Cloudformation 创建密钥:
注意:在 "Dev" 帐户中启动此 cloudformation 堆栈,在此示例中,该帐户位于 us-west-2
{
"Description": "Creates a KMS key used to encrypt snapshots and allows sharing with another account.",
"Outputs": {
"AMIKeyIdOutput": {
"Description": "The KMS Key id used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmskeyid"
}
},
"Value": {
"Ref": "AMIKmsKey"
}
},
"AMIKmsAliasOutput": {
"Description": "The KMS key alias used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmsalias"
}
},
"Value": {
"Ref": "AMIKmsAlias"
}
}
},
"Parameters": {
"SharedAccountId": {
"AllowedPattern": "^(?!\s*$).+",
"ConstraintDescription": "You must supply a account id you want to share with.",
"Description": "The account id you want to share this key with.",
"Type": "String"
}
},
"Resources": {
"AMIKmsAlias": {
"Properties": {
"AliasName": {
"Fn::Sub": "alias/amiencryptionkey"
},
"TargetKeyId": {
"Ref": "AMIKmsKey"
}
},
"Type": "AWS::KMS::Alias"
},
"AMIKmsKey": {
"Properties": {
"Description": "AMI encryption key.",
"EnableKeyRotation": "true",
"Enabled": "true",
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:*"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": [
"*"
],
"Sid": "Allow access for Key Administrators"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow use of the key"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
},
{
"Fn::Join": [
":",
[
"arn:aws:iam:",
{"Ref":"SharedAccountId"},
"root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow attachment of persistent resources."
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::KMS::Key"
}
}
}
同样重要的是要注意一些原则是不需要的,但它应该足以让你开始。
在按照上述逻辑设置您的 kms 密钥之后,您必须 运行 以下 cli 命令:
注意:在这个例子中
* us-east-1
中的 SharedAccountId
* KMS 密钥存在于 "Dev" 帐户中,该帐户位于 us-west-2
aws kms create-grant \
--region us-east-1 \
--profile SharedAccountProfile \
--key-id arn:aws:kms:us-west-2:<DevAccountId>:key/<KMS_KEY_ID From above CF template> \
--grantee-principal arn:aws:iam::<SharedAccountId>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \
--operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
应该可以了。现在您可以在帐户之间共享加密的 AMI,并允许自动缩放组与它们一起启动实例。
我正在尝试使用 AWS 中的 Auto Scaling 组来创建和管理从具有加密快照的 AMI 创建的实例,这些实例已由不同 AWS 账户拥有的 CMK 加密。
我一直收到错误 "Client.InternalError: Client error on launch"。根据 https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-instancelaunchfailure.html#ts-as-instancelaunchfailure-12 处的场景 2,我需要使用 Auto Scaling 组服务相关角色作为被授权委托人创建对 CMK 的授权。
我尝试按照 AWS 文档和 https://forums.aws.amazon.com/thread.jspa?threadID=277523 中的指导方针设置赠款。
但是,我不断收到 AccessDeniedException,说我的用户无权在 CMK 上执行 kms:CreateGrant。
我觉得我完全按照说明操作了,但它不起作用。我希望有人能够提供一些见解。
我和一位 AWS 员工聊天,他 运行 遇到了同样的问题,直到他重新阅读论坛 post。 Case 2 Step 4中的关键行是"The kms:GrantIsForAWSResource condition is not included to allow an IAM user or role in account 111122223333 to create the grant in the next step.".
换句话说,您需要从客户管理的 CMK 的默认密钥策略中删除此条件。
说明本可以使该要求更加明确,但从技术上讲它已经存在并且可以解决问题。
编辑:为澄清起见,我将在下面包含默认值和修改后的 JSON。
以下是 https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
处显示的默认密钥策略 {
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
关键是删除 "kms:GrantIsForAWSResource" 的条件,如下所示。
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
阅读您提供的有用信息后,我能够解决它,所以我决定 post 也将我的发现分享给其他人。
这正是我为允许 "SharedAccountId" 帐户访问和使用自定义 KMS 密钥 (CMK) 所做的工作。"SharedAccountId"。
对于这个例子,假设 "dev" 帐户在 us-west-2 中,"SharedAccount" 在 us-east-1 中。
Cloudformation 创建密钥:
注意:在 "Dev" 帐户中启动此 cloudformation 堆栈,在此示例中,该帐户位于 us-west-2
{
"Description": "Creates a KMS key used to encrypt snapshots and allows sharing with another account.",
"Outputs": {
"AMIKeyIdOutput": {
"Description": "The KMS Key id used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmskeyid"
}
},
"Value": {
"Ref": "AMIKmsKey"
}
},
"AMIKmsAliasOutput": {
"Description": "The KMS key alias used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmsalias"
}
},
"Value": {
"Ref": "AMIKmsAlias"
}
}
},
"Parameters": {
"SharedAccountId": {
"AllowedPattern": "^(?!\s*$).+",
"ConstraintDescription": "You must supply a account id you want to share with.",
"Description": "The account id you want to share this key with.",
"Type": "String"
}
},
"Resources": {
"AMIKmsAlias": {
"Properties": {
"AliasName": {
"Fn::Sub": "alias/amiencryptionkey"
},
"TargetKeyId": {
"Ref": "AMIKmsKey"
}
},
"Type": "AWS::KMS::Alias"
},
"AMIKmsKey": {
"Properties": {
"Description": "AMI encryption key.",
"EnableKeyRotation": "true",
"Enabled": "true",
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:*"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": [
"*"
],
"Sid": "Allow access for Key Administrators"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow use of the key"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
},
{
"Fn::Join": [
":",
[
"arn:aws:iam:",
{"Ref":"SharedAccountId"},
"root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow attachment of persistent resources."
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::KMS::Key"
}
}
}
同样重要的是要注意一些原则是不需要的,但它应该足以让你开始。 在按照上述逻辑设置您的 kms 密钥之后,您必须 运行 以下 cli 命令:
注意:在这个例子中
* us-east-1
中的 SharedAccountId
* KMS 密钥存在于 "Dev" 帐户中,该帐户位于 us-west-2
aws kms create-grant \
--region us-east-1 \
--profile SharedAccountProfile \
--key-id arn:aws:kms:us-west-2:<DevAccountId>:key/<KMS_KEY_ID From above CF template> \
--grantee-principal arn:aws:iam::<SharedAccountId>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \
--operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
应该可以了。现在您可以在帐户之间共享加密的 AMI,并允许自动缩放组与它们一起启动实例。