- 最新
- 最多得票
- 最多評論
Can they see the logs or can they see contents the log streams?
The key policy looks correct. You will be relying on IAM polices to allow users to use the Kms keys.
Review what Kms keys are allowed by iam permissions already assigned to users. Also review the cloud watch log groups are using KMS.
While IAM does not directly support conditions based on the KMS key for log viewing actions, you can use resource tags and condition keys in IAM policies to approximate this. For example, tag your KMS key and log groups with specific attributes and use those in IAM policy conditions.
Here's an example IAM policy that incorporates tag-based conditions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewEncryptedLogs", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/Project": "ProjectX", "aws:ResourceTag/Project": "ProjectX" } } }, { "Sid": "DecryptWithSpecificKMSKey", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "StringEquals": { "kms:RequestTag/Project": "ProjectX", "kms:ViaService": "logs.region.amazonaws.com" } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
相關內容
AWS 官方已更新 1 年前- AWS 官方已更新 3 年前
To be clear, this is a user who has only the "ReadOnlyAccess" policy associated and no explicit access to the key(The key policy is the one above).
This user can see the log group(correctly encrypted by the KMS), the log streams of that group, and the log events themselves.
The expected result would be: no access to the logs because it does not have access to the decrypt key.
Everything should work based on your information and description of how everything is setup. All I can suggest is double check everything. Log group using the expected Kms key, user has no other policies attached directly or by group member ship, Kms key is correct policy.