我尝试设置跨帐户访问权限,以允许外部帐户使用我的KMS密钥解密来自S3存储桶的数据。我有关键,政策,角色设置我认为是正确的拨款,但我不能从外部帐户描述密钥。希望得到一些关于我做错的事情。
帐户111:向外部帐户根目录授予政策的密钥(999)
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
帐户999中的角色,其中附加的政策授予对来自111的密钥的访问权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
然而,当我使用aws-shell承担999中的角色时:
aws> kms describe-key --key-id=abc-def
An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
答案 0 :(得分:4)
您的密钥,角色和政策已正确设置。当您在其他AWS账户上的客户主密钥(CMK)上呼叫describe-key时,您必须在key-id参数的值中指定密钥ARN或别名ARN。
要在其他AWS账户的CMK上执行此操作,请指定 KeyId参数值中的关键ARN或别名ARN。
那就是说,如果你做了类似下面的事情,它会起作用:
aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
答案 1 :(得分:0)
如果一切看似正常,请特别注意关键的政策条件。例如,以下策略似乎允许访问AccountA以使用密钥。
{
"Sid": "Allow use of the key for SSM only",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"ssm.*.amazonaws.com",
"autoscaling.*.amazonaws.com"
]
}
}
},
{
"Sid": "Allow reading of key metadata",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
但是,如果您更仔细地检查条件,您将看到键的使用仅限于某些带有“ viaService”条件的服务。
当请求来自特定服务时,您还可以使用kms:ViaService条件键来拒绝使用CMK的权限。
更多信息AWS Doc Reference。
在这种情况下,密钥仅限于ec2和自动缩放。如果您在ec2实例和ec2实例上执行“ aws kms describe-key”,您将能够看到响应,但无法将其用于其他服务(例如AWS Secret Manager等)。换句话说,以下命令将来自同一个ec2实例失败。
aws secretsmanager create-secret --name MyTestSecret \
--description "My test database secret created with the CLI" \
--kms-key-id arn:aws:kms:GIVEN_KEY_ID