我得到与https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger/中所述的完全相同的错误。我得到的错误是null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)。
我阅读的所有联机资源都指出,CMK必须对AWS CloudWatch警报具有以下两个权限:"kms:Decrypt","kms:GenerateDataKey"。我所做的(在Terraform中)是:
resource "aws_iam_role" "cloudwatch-alarm-role" {
name = var.cloudwatch_alarm_role_name
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_kms_key" "mycreds" {
description = "CMK for encrypting my data"
tags = merge(
var.my_tags,
{
"Name" = "My Credentials CMK"
},
)
}
resource "aws_kms_grant" "cloudwatch_alarm_role_grant" {
name = "cloudwatch-alarm-grant"
key_id = aws_kms_key.mycreds.key_id
grantee_principal = data.aws_iam_role.cloudwatch_alarm_role.arn
operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
}
resource "aws_sns_topic" "messages" {
name = "messages-topic"
kms_master_key_id = aws_kms_key.mycreds.key_id
}
,但是我仍然收到相同的拒绝访问错误。我想念什么?
答案 0 :(得分:0)
我们遇到了类似的问题。发现我们应该向 aws_kms_key 资源本身添加策略,而不是添加 aws_kms_grant 资源。以下代码对我们有用。
resource "aws_kms_key" "sns_key" {
description = "KMS key for use in SNS through CloudWatch Alarms"
policy = data.aws_iam_policy_document.sns_key_policy.json
tags = var.default_tags
}
data "aws_iam_policy_document" "sns_key_policy" {
statement {
sid = "Enable_IAM_root_permissions"
effect = "Allow"
resources = ["*"]
actions = ["kms:*"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
statement {
sid = "Allow_CloudWatch_for_CMK"
effect = "Allow"
resources = ["*"]
actions = [
"kms:Decrypt",
"kms:GenerateDataKey*",
]
principals {
type = "Service"
identifiers = ["cloudwatch.amazonaws.com"]
}
}
}
请注意:它还要求我们添加访问 root 用户的语句。否则,密钥将变得不可删除。