AWSCloudFormation-AWS::KMS::Key中默认密钥策略的正确使用方式 _程序开发

AWSCloudFormation-AWS::KMS::Key中默认密钥策略的正确使用方式

创始人

2024-09-24 07:00:36

0次

AWS CloudFormation中，AWS::KMS::Key资源默认使用预定义的密钥政策，该策略可能不符合个人或组织的特定需求。因此，在使用该资源时，建议用户在template文件中明确定义自己的密钥政策，以确保授予最小权限。以下是一个示例template文件：

{
  "Resources": {
    "MyCMK": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "My Key Description",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::111122223333:user/Alice",
                  "arn:aws:iam::111122223333:user/Bob"
                ]
              },
              "Action": [
                "kms:*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "Enable Encrypt and Decrypt",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::111122223333:role/MyRole",
                  "arn:aws:iam::111122223333:role/MyOtherRole"
                ]
              },
              "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "Allow Administration of the CMK",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::111122223333:root"
                ]
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",

上一篇：AWSCloudFormation+ElasticBeanstalk错误

下一篇：AWSCloudFormation-将JSON地图作为模板参数载入

AWSCloudFormation-AWS::KMS::Key中默认密钥策略的正确使用方式

相关内容

热门资讯