Assign Role For Administrative and Usage Permission KMS
I want to enable Kubernetes secret encryption. In order to do that, I need to create KMS key first. When creating KMS key, there's page to choose what roles that will be assigned to administrative and usage permission.
My question is, what roles should I choose for Administrative and Usage permission ?
My assumption is this :
Administrative
- Role that will manage KMS (update key policy, add/remove tags, enable/disable automatic rotate KMS key, create/delete alias, enable/disable key, delete key)
- Role that will setup kubernetes secret encryption.
Usage
- Role that will manage KMS (update key policy, add/remove tags, enable/disable automatic rotate KMS key, create/delete alias, enable/disable key, delete key)
- Role that will setup kubernetes secret encryption.
- EKS role service
Are those assignment correct ?
- 最新
- 最多得票
- 最多評論
When creating a KMS key for encrypting Kubernetes secrets, the roles assigned to the administrative and usage permissions determine who is allowed to perform certain actions on the key.
For the administrative permissions, you should choose the role that will be responsible for managing the key, such as creating, modifying, or deleting it. This role should typically be assigned to a user or group within your organisation that has the necessary privileges for managing KMS keys.
For the usage permissions, you should choose the role that will be used to perform the encryption and decryption operations on the key. In the case of Kubernetes secrets, this role should be assigned to the worker nodes that run the containers in your cluster. You can do this by granting the necessary permissions to the worker node IAM role.
Ref: https://archive.eksworkshop.com/beginner/191_secrets
https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth
https://aws.github.io/aws-eks-best-practices/security/docs/data/
相關內容
AWS 官方已更新 3 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 6 個月前