管理员不能在 AWS KMS 中 encrypt/decrypt
Administrator cannot encrypt/decrypt in AWS KMS
我正在 AWS 中使用 密钥管理服务 (KMS),目前正在设置 key policies。
我创建了两个角色 KmsUser 和 KmsAdmin 并将以下密钥策略附加到我的 CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS KeyAdmin access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsAdmin",
"arn:aws:iam::1234567890:user/myadmin"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "KMS KeyUser access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
问题是现在如果我尝试将我的密钥用作 myadmin 用户(附加了 AdministratorAccess 策略)我在 CLI 中出现错误:
$ aws kms encrypt --key-id "alias/test-key" --plaintext fileb:///tmp/plaintext.dat
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:iam::1234567890:user/myadmin is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-99999999999
特别奇怪的是,IAM policy simulator 告诉我一切都应该按预期工作:
如果我手动将 myadmin 用户添加为 Key User 策略的主体,一切正常。
您需要在密钥策略中添加如下声明:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "kms:*",
"Resource": "*"
}
这允许帐户访问密钥,这是启用 IAM 访问它所必需的。
如果您使用 AWS CDK 创建 KMS 构造,请确保将 trustAccountIdentities 设置为 true。 TypeScript 中的示例
const passwordEncryptionKey = new kms.Key(this, 'MyKey', {
enabled: true,
trustAccountIdentities: true,
});
文档是 here
我正在 AWS 中使用 密钥管理服务 (KMS),目前正在设置 key policies。
我创建了两个角色 KmsUser 和 KmsAdmin 并将以下密钥策略附加到我的 CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS KeyAdmin access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsAdmin",
"arn:aws:iam::1234567890:user/myadmin"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "KMS KeyUser access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::1234567890:role/KmsUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
问题是现在如果我尝试将我的密钥用作 myadmin 用户(附加了 AdministratorAccess 策略)我在 CLI 中出现错误:
$ aws kms encrypt --key-id "alias/test-key" --plaintext fileb:///tmp/plaintext.dat
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:iam::1234567890:user/myadmin is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-99999999999
特别奇怪的是,IAM policy simulator 告诉我一切都应该按预期工作:
如果我手动将 myadmin 用户添加为 Key User 策略的主体,一切正常。
您需要在密钥策略中添加如下声明:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "kms:*",
"Resource": "*"
}
这允许帐户访问密钥,这是启用 IAM 访问它所必需的。
如果您使用 AWS CDK 创建 KMS 构造,请确保将 trustAccountIdentities 设置为 true。 TypeScript 中的示例
const passwordEncryptionKey = new kms.Key(this, 'MyKey', {
enabled: true,
trustAccountIdentities: true,
});
文档是 here