我在理解与MWAA和KMS有关的IAM策略语法时遇到了一些小问题,我想知道是否有人能帮助我理解。
来自此文档:
https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html
最后,有一点政策允许MWAA的角色能够使用内置的AWS KMS密钥。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:PublishMetrics",
"Resource": "arn:aws:airflow:{your-region}:{your-account-id}:environment/{your-environment-name}"
},
{
"Effect": "Deny",
"Action": "s3:ListAllMyBuckets",
"Resource": [
"arn:aws:s3:::{your-s3-bucket-name}",
"arn:aws:s3:::{your-s3-bucket-name}/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{your-s3-bucket-name}",
"arn:aws:s3:::{your-s3-bucket-name}/*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:GetLogRecord",
"logs:GetLogGroupFields",
"logs:GetQueryResults"
],
"Resource": [
"arn:aws:logs:{your-region}:{your-account-id}:log-group:airflow-{your-environment-name}-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:{your-region}:*:airflow-celery-*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt"
],
"NotResource": "arn:aws:kms:*:{your-account-id}:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sqs.{your-region}.amazonaws.com"
]
}
}
}
]
}
我不理解这最后一块。
- 这是一个"允许"操作
- 它包含KMS操作
但我不明白为什么关键是";NotResource">
列出的密钥是我们想要允许的密钥,那么为什么这看起来是倒退的呢?
有人能说出逻辑来帮助我理解这一点吗?
示例策略适用于"AWS拥有的密钥";。现在,AWS拥有的密钥是AWS服务拥有的KMS密钥的集合,而这些密钥不在您的AWS帐户中。因此,策略声明"NotResource": "arn:aws:kms:*:{your-account-id}:key/*"
意味着允许策略中为不在您的AWS帐户中的任何KMS资源指定的操作,例如AWS拥有的密钥(前提是密钥所有者授予您访问权限(以及当它通过SQS服务使用时。