了解公里政策?
understanding kms policy?
我有一个名为 group-dev 的 IAM 组,并且有几个用户附加到该组,我有自定义 IAM 策略(如下)。仅此 IAM 策略是否足以让该组中的用户加密和列出 kms 密钥?
基本上,我的目标是创建 IAM 组,并将策略附加到几个用户,当添加新用户时,我不想做双重工作,例如将他们添加到组,然后将他们添加到 kms 密钥政策。那么它是否适用于以下政策?
IAM 组内联策略
{
"Action": [
"kms:List*",
"kms:Encrypt",
"kms:Decrypt",
"kms:Describe*",
"kms:Get*"
],
"Effect": "Allow",
"Resource": "*"
},
kms policy
{
"Id": "key-consolepolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
}
以下是 aws 文档的片段:https://docs.amazonaws.cn/en_us/kms/latest/developerguide/kms-dg.pdf#page=95&zoom=100,96,105
Allowing multiple IAM users to access a CMK
IAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of
the following:
• Add each IAM user to the key policy. This approach requires that you update the key policy each time
the list of authorized users changes.
• Ensure that the key policy includes the statement that enables IAM policies to allow access to the
CMK (p. 72). Then create an IAM policy that allows access to the CMK, and then attach that policy to
an IAM group that contains the authorized IAM users. Using this approach, you don't need to change
any policies when the list of authorized users changes. Instead, you only need to add or remove those
users from the appropriate IAM group.
好像有矛盾的说法,还是我理解有误?
. Enables IAM policies to allow access to the CMK.
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them
in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full
access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the
account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it
enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS
CMKs (p. 69).
首先要比较它们如何协同工作,每个 CMK(客户管理的密钥)都是使用密钥策略创建的,该密钥策略限制哪个委托人(操作的调用者,即 IAM Role/IAM User/Service)可以访问它(以及委托人将拥有的权限)。无论您授予哪个 IAM 权限都没有关系,如果您的密钥策略不允许 IAM 用户(包括根用户)无法执行该操作的权限。
附加到用户的 IAM 策略将授予用户可以执行的最大权限。评估操作时,也会评估关键策略权限,如果在两个策略中都允许该权限,则委托人将被允许执行该操作。
总而言之,对于 KMS,密钥策略和 IAM 策略权限都必须允许访问。您拥有的权限将允许用户拥有对 KMS 密钥的大部分访问权限。
我有一个名为 group-dev 的 IAM 组,并且有几个用户附加到该组,我有自定义 IAM 策略(如下)。仅此 IAM 策略是否足以让该组中的用户加密和列出 kms 密钥?
基本上,我的目标是创建 IAM 组,并将策略附加到几个用户,当添加新用户时,我不想做双重工作,例如将他们添加到组,然后将他们添加到 kms 密钥政策。那么它是否适用于以下政策?
IAM 组内联策略
{
"Action": [
"kms:List*",
"kms:Encrypt",
"kms:Decrypt",
"kms:Describe*",
"kms:Get*"
],
"Effect": "Allow",
"Resource": "*"
},
kms policy
{
"Id": "key-consolepolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
}
以下是 aws 文档的片段:https://docs.amazonaws.cn/en_us/kms/latest/developerguide/kms-dg.pdf#page=95&zoom=100,96,105
Allowing multiple IAM users to access a CMK
IAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of
the following:
• Add each IAM user to the key policy. This approach requires that you update the key policy each time
the list of authorized users changes.
• Ensure that the key policy includes the statement that enables IAM policies to allow access to the
CMK (p. 72). Then create an IAM policy that allows access to the CMK, and then attach that policy to
an IAM group that contains the authorized IAM users. Using this approach, you don't need to change
any policies when the list of authorized users changes. Instead, you only need to add or remove those
users from the appropriate IAM group.
好像有矛盾的说法,还是我理解有误?
. Enables IAM policies to allow access to the CMK.
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them
in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full
access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the
account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it
enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS
CMKs (p. 69).
首先要比较它们如何协同工作,每个 CMK(客户管理的密钥)都是使用密钥策略创建的,该密钥策略限制哪个委托人(操作的调用者,即 IAM Role/IAM User/Service)可以访问它(以及委托人将拥有的权限)。无论您授予哪个 IAM 权限都没有关系,如果您的密钥策略不允许 IAM 用户(包括根用户)无法执行该操作的权限。
附加到用户的 IAM 策略将授予用户可以执行的最大权限。评估操作时,也会评估关键策略权限,如果在两个策略中都允许该权限,则委托人将被允许执行该操作。
总而言之,对于 KMS,密钥策略和 IAM 策略权限都必须允许访问。您拥有的权限将允许用户拥有对 KMS 密钥的大部分访问权限。