使用 AWS Systems Session Manager 的加密 CloudWatch LogGroups 的 KMS 权限
KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager
我已经设置了一个 CMK(自定义托管密钥)来使用 AWS Systems Session Manager 加密日志组:
首先,在KMS控制台中添加了“密钥管理员”和“密钥users/roles”的权限。
接下来,CMK 在 AWS Systems Manager 会话管理器首选项中附加到日志组,如此图所示:
错误:
指定的 KMS 密钥不存在或不允许与日志组一起使用'arn:aws:logs:my_region:my_account_id:log-group:/SSM'
密钥必须存在,因为它用于加密会话,只是不能正确解密日志组,但它链接到日志组并且用户有权限。给出了什么?
我试图重现你的问题。
我的会话管理器设置:
CloudWatch 日志组已使用 CLI 加密:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
启动会话管理器后,我可以确认它已加密:
根据此验证,唯一需要使其工作的是设置 KMS 密钥策略。我将以下内容添加到我的 KMS(SSMRole 是实例角色,其他条目应该不言自明):
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}
我已经设置了一个 CMK(自定义托管密钥)来使用 AWS Systems Session Manager 加密日志组:
首先,在KMS控制台中添加了“密钥管理员”和“密钥users/roles”的权限。
接下来,CMK 在 AWS Systems Manager 会话管理器首选项中附加到日志组,如此图所示:
错误:
指定的 KMS 密钥不存在或不允许与日志组一起使用'arn:aws:logs:my_region:my_account_id:log-group:/SSM'
密钥必须存在,因为它用于加密会话,只是不能正确解密日志组,但它链接到日志组并且用户有权限。给出了什么?
我试图重现你的问题。
我的会话管理器设置:
CloudWatch 日志组已使用 CLI 加密:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
启动会话管理器后,我可以确认它已加密:
根据此验证,唯一需要使其工作的是设置 KMS 密钥策略。我将以下内容添加到我的 KMS(SSMRole 是实例角色,其他条目应该不言自明):
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}