用于实施新EBS卷的AWS IAM策略已加密

时间:2017-10-31 16:27:12

标签: amazon-web-services amazon-iam amazon-ebs

AWS Key Management Service Best Practices whitepaper中,在使用Amazon EBS的静态数据加密部分中,它指出:

  

有两种方法可确保始终加密EBS卷。   您可以验证加密标志是'7835109626'的一部分   通过IAM策略将上下文设置为“true”。如果标志不是   “true”则IAM策略可以阻止个人创建   EBS卷

我该怎么做?我想这个政策看起来像是:

CreateVolume

根据白皮书和docs{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1509465260000", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Condition": { "Bool": { "ec2:Encrypted": "true" } }, "Resource": [ "*" ] } ] } 密钥上的Bool条件最有意义,但在尝试创建加密卷时,我得到了访问被拒绝。

声明中我缺少什么?

3 个答案:

答案 0 :(得分:4)

John Hanley说的没错了

我最终使用的完整政策看起来像这样:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt2222222222222",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1111111111111",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateTags",
        "kms:ListAliases"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "allowKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
      ]
    }
  ]
}

答案 1 :(得分:3)

您需要其他权限才能创建加密卷:

1)ec2:DescribeAvailabilityZones

2)kms:*

注意:我没有深入了解KMS以获取使用KMS加密密钥的最低权限。如果要从快照创建卷,则需要添加ec2:DescribeSnapshots

政策示例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1509465260000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Condition": {
                "Bool": {
                    "ec2:Encrypted": "true"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}

答案 2 :(得分:1)

仅“ kms:encrypt”对于创建加密的ebs不再起作用。在以下链接中找到了可行的解决方案

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline

要在不进行通配符kms操作(“ kms”:*)的情况下使用,请在“操作”下添加以下内容

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"

以及

"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:EnableVolumeIO"
相关问题
最新问题