1回答
- 新しい順
- 投票が多い順
- コメントが多い順
0
If you use default AWS-managed key (aws/lambda), you shouldn't have to do anything. If you use a customer managed key, then you will need to update the Lambda's role to allow access to KMS and optionally KMS resource to allow Lambda's IAM role.
## Lambda IAM
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:your-region:your-account-id:key/your-kms-key-id"
}
## KMS policy example
{
"Sid": "AllowLambdaUseOfKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:role/<your-lambda-execution-role-name>"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
