使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Assigning Required Permission to EKS Role When Enabling Secret Encryption

0

I want to enable secret encryption in EKS. Base on this page : Enabling secret encryption on an existing cluster, permission kms:DescribeKey and kms:CreateGrant are required.

My question is which one is the preferable way to assign these permission? Is it assign the permission manually or giving key usage permission to the eks-role ?

Enter image description here

主題
安全性、身分識別與合規容器
標籤
AWS Key Management Service安全性、身分識別與合規AWS Identity and Access ManagementAmazon Elastic Kubernetes Service加密
語言
English
apriliopajri
已提問 1 年前檢視次數 976 次
1 個回答
0

Hi,

As the document states, you have to make sure that the kms:DescribeKey and kms:CreateGrant actions are permitted on the policy for the principal that calls the create-cluster API. You can do it either editing the KMS key policy directly (manually), or giving key usage permission to the eks-role.

For example, you can find below the policy of a brand new KMS key without any “usage permissions / Key users” selected.

{
    "Id": "TestKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AWSAccountID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

This policy above is similar to what the documentation refers with “By default, the create-key command creates a symmetric encryption KMS key with a key policy that gives the account root admin access on AWS KMS actions and resources.” It is called Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html)

You can then go to the policy and edit it manually, adding the required permissions to the right role (eks-role in your case), or you can do the same through the “usage permissions / Key users” section.

Going back to the same policy above, this one below is exactly the same KMS key policy after adding the role TestRole in the “usage permissions / Key user” section.

{
    "Id": " TestKey ",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: AWSAccountID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: AWSAccountID:role/TestRole"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: AWSAccountID:role/TestRole"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Another option you have is to leave the Default key policy the way it is (first example above) and use IAM policies to grant access to KMS keys. You can find some information https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html and https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html

AWS
SergioA
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容