我正在尝试使用AWS中的Auto Scaling组来创建和管理从具有加密快照的AMI创建的实例,这些快照已由另一个AWS账户拥有的CMK加密。
我不断收到错误“ Client.InternalError:启动时出现客户端错误”。根据{{3}}中的方案2,我需要使用Auto Scaling组服务链接角色作为被授权者主体来创建对CMK的授权。
我尝试遵循AWS文档和https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-instancelaunchfailure.html#ts-as-instancelaunchfailure-12中的指南来设置赠款。
但是,我不断收到一个AccessDeniedException,说我的用户无权在CMK上执行kms:CreateGrant。
我觉得我已经完全按照说明进行了操作,但是没有用。我希望有人能够提供一些见识。
答案 0 :(得分:1)
阅读了您的有用信息后,我得以解决,因此我决定将自己的发现也发布给其他人。
这正是我允许“ dev”帐户中的自定义KMS密钥(CMK)由“ SharedAccountId”访问和使用的方法。
在此示例中,假设“ dev”帐户在us-west-2中,而“ SharedAccount”在us-east-1中。
Cloudformation创建密钥:
注意:在“ Dev”帐户中启动此cloudformation堆栈,在此示例中,该帐户位于us-west-2
{
"Description": "Creates a KMS key used to encrypt snapshots and allows sharing with another account.",
"Outputs": {
"AMIKeyIdOutput": {
"Description": "The KMS Key id used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmskeyid"
}
},
"Value": {
"Ref": "AMIKmsKey"
}
},
"AMIKmsAliasOutput": {
"Description": "The KMS key alias used to encrypted snapshots.",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-kmsalias"
}
},
"Value": {
"Ref": "AMIKmsAlias"
}
}
},
"Parameters": {
"SharedAccountId": {
"AllowedPattern": "^(?!\\s*$).+",
"ConstraintDescription": "You must supply a account id you want to share with.",
"Description": "The account id you want to share this key with.",
"Type": "String"
}
},
"Resources": {
"AMIKmsAlias": {
"Properties": {
"AliasName": {
"Fn::Sub": "alias/amiencryptionkey"
},
"TargetKeyId": {
"Ref": "AMIKmsKey"
}
},
"Type": "AWS::KMS::Alias"
},
"AMIKmsKey": {
"Properties": {
"Description": "AMI encryption key.",
"EnableKeyRotation": "true",
"Enabled": "true",
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:*"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": [
"*"
],
"Sid": "Allow access for Key Administrators"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow use of the key"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
},
{
"Fn::Join": [
":",
[
"arn:aws:iam:",
{"Ref":"SharedAccountId"},
"root"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref":"SharedAccountId"},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
}
]
},
"Resource": [
"*"
],
"Sid": "Allow attachment of persistent resources."
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::KMS::Key"
}
}
}
另外,请务必注意,不需要某些原理,但足以使您入门。 像上述逻辑一样设置完kms密钥后,您必须运行以下cli命令:
注意:在此示例中
* us-east-1中的SharedAccountId
* KMS Key位于us-west-2中的“ Dev”帐户中
aws kms create-grant \
--region us-east-1 \
--profile SharedAccountProfile \
--key-id arn:aws:kms:us-west-2:<DevAccountId>:key/<KMS_KEY_ID From above CF template> \
--grantee-principal arn:aws:iam::<SharedAccountId>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \
--operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
应该这样做。现在,您可以在帐户之间共享加密的AMI,并允许自动伸缩组使用它们启动实例。
答案 1 :(得分:0)
我和一个遇到同样问题的AWS员工聊天,直到他重新阅读了论坛帖子。案例2步骤4中的关键行是“不包含kms:GrantIsForAWSResource条件,以允许帐户111122223333中的IAM用户或角色在下一步创建授予。”
换句话说,您需要从客户管理的CMK的默认密钥策略中删除此条件。
这些说明可以使该要求更加明确,但从技术上讲,它就在那里,并且可以解决问题。