我第一次使用AWS SES,让服务为新组织创建一些默认加密密钥来加密电子邮件。但是,当我删除该组织时,密钥仍然落后。我现在无法安排删除它们,因为我没有必要的权限,即使以root用户身份签名也是如此。以下是这些密钥的当前政策:
{
"Version": "2012-10-17",
"Id": "auto-ses-2",
"Statement": [
{
"Sid": "Allow SES to encrypt messages belonging to this account",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:ses:source-account": "915144628597"
},
"Null": {
"kms:EncryptionContext:aws:ses:rule-name": "false",
"kms:EncryptionContext:aws:ses:message-id": "false"
}
}
},
{
"Sid": "Allow SES to describe this key",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow direct access to key metadata & decryption to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::915144628597:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
正如您所看到的,root帐户既没有权限来安排密钥删除,也没有设置新的密钥策略。所以据我所知,我几乎无法删除这些密钥。我可以在这个问题上找到的所有文档和以前的帖子都假设用户自己创建了密钥,而我没有。所以我想在弄乱提交客户服务票之前,我会向社区提出建议。非常感谢您的帮助!