1 個回答
- 最新
- 最多得票
- 最多評論
0
Instead of manually creating the policies, you can use the Amazon GuardDuty console to generate sample polices for you.
- Navigate to the Amazon GuardDuty console. Choose settings in the navigation pane.
- Under Findings export options, choose the frequency for updating findings.
- Under S3 bucket, choose Existing bucket
- Select your bucket and choose View Policy. Copy that policy and apply it to your S3 bucket.
- You can leave Log file prefix as default (blank)
- For KMS, select your key alias and choose View Policy. Copy that policy and apply it to your KMS key. You want to add this to your key, rather than replace the one that is there. For example:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/Admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow GuardDuty to encrypt findings",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:guardduty:us-west-2:<account_ID>:detector/<detectorID>",
"aws:SourceAccount": "<account_ID>"
}
}
}
]
}
- Then choose save.
已回答 1 年前
相關內容
- 已提問 6 個月前
- AWS 官方已更新 8 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
Can you post the bucket policy of the existing bucket that you want your guardduty findings to export into? Please post the KMS key policy as well.
I think I found the problem.