AWS KMS - 为什么我在尝试加密数据时需要 "kms:Decrypt" 权限?
AWS KMS - why do I need the "kms:Decrypt" permission when I try to encrypt data?
我注意到在以下两种情况下:
- S3 -
PutObject 到加密存储桶。
- SQS -
SendMessage 到加密队列。
我需要有kms:Decrypt权限(除了kms:GenerateDataKey权限),否则会抛出“未授权”异常。
为什么会这样?
来自 AWS:
The call to kms:Decrypt is to verify the integrity of the new data key before using it. Therefore, the producer must have the kms:GenerateDataKey and kms:Decrypt permissions for the customer master key (CMK).
我注意到在以下两种情况下:
- S3 -
PutObject到加密存储桶。 - SQS -
SendMessage到加密队列。
我需要有kms:Decrypt权限(除了kms:GenerateDataKey权限),否则会抛出“未授权”异常。
为什么会这样?
来自 AWS:
The call to kms:Decrypt is to verify the integrity of the new data key before using it. Therefore, the producer must have the kms:GenerateDataKey and kms:Decrypt permissions for the customer master key (CMK).