要在您的账户中创建授权,您必须向密钥策略添加 kms:CreateGrant、kms:ListGrants 和 kms:RevokeGrant 权限。该策略还必须包括 Allow use of the key 和 Allow attachment of persistent resources 语句。
以下是密钥策略的示例。将 SOURCE_ACCOUNT 替换为共享加密 AMI 的账户 ID,将 DESTINATION_ACCOUNT 替换为您的账户 ID:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::DESTINATION_ACCOUNT:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::DESTINATION_ACCOUNT:user/DESTINATION_USER",
"arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
**注意:**当您使用 AWS 管理控制台创建 KMS 密钥并将外部账户 ID 作为用户包括在内时,密钥策略会自动应用 kms:GrantIsForAWSResource。kms:GrantIsForAWSResource 条件密钥不允许用户为 SLR 创建授权。确保密钥策略在 Allow attachment of persistent resources 语句中不包含此条件密钥。