1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
It looks like the ARNs specified in the resource element could be for the S3 bucket ([myencryptedBucketArn, myencryptedBucketArn/*]
), rather than the KMS key, as in the second policy.
To allow the KMS actions, the resource in the policy will need to be the ARN of the associated KMS key.
répondu il y a 2 ans
Contenus pertinents
- demandé il y a 3 mois
- demandé il y a un an
- demandé il y a 6 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
sorry, I did not understand the first part of the answer
Sorry! On reading your question again, it sounds like you might be talking about two different types of policy - the KMS key policy, and the IAM role policy. The action will need to be allowed in both of these for it to work.
In the KMS key policy, the resource can be
"*"
, which refers to the KMS key the policy is applied to, and in the IAM policy for the role, the resource will need to be the KMS key, as you already have done.