我正在尝试设置跨账户访问,以允许外部账户使用我的 KMS 密钥解密 S3 存储桶中的数据。我有密钥、策略、角色,这些角色设置了我认为正确的授权,但我无法描述外部帐户中的密钥。希望得到一些关于我做错了什么的意见。
账户111:具有向外部账户根授予策略的密钥 (999(
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
账户 999 中附加了策略的角色,授予对 111 密钥的访问权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
然而,当我使用 aws-shell 在 999 中担任角色时:
aws> kms describe-key --key-id=abc-def
An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
您的密钥、角色和策略设置正确。当您对位于其他 AWS 账户上的客户主密钥 (CMK( 调用 describe-key 时,您必须在 key-id 参数的值中指定密钥 ARN 或别名 ARN。
来自官方文档:
要对其他 AWS 账户中的 CMK 执行此操作,请指定 密钥 ARN 或别名 ARN 在密钥 ID 参数的值中。
也就是说,如果您执行以下操作,它将起作用:
aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
如果一切似乎正常,请特别注意关键政策条件。例如,像下面这样的策略似乎允许访问帐户A以使用该密钥。
{
"Sid": "Allow use of the key for SSM only",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"ssm.*.amazonaws.com",
"autoscaling.*.amazonaws.com"
]
}
}
},
{
"Sid": "Allow reading of key metadata",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
但是,如果您更仔细地检查条件,您会发现密钥的使用仅限于某些具有"viaService"条件的服务。
您还可以使用 kms:ViaService 条件键在请求来自特定服务时拒绝使用 CMK 的权限。
更多信息 AWS 文档参考。
在这种情况下,密钥仅限于 ec2 和自动扩展。如果您从 ec2 实例执行"aws kms describe-key",您将能够看到响应,但您无法将其用于其他服务,如 AWS Secret Manager 等。换句话说,以下命令将从同一 ec2 实例失败。
aws secretsmanager create-secret --name MyTestSecret
--description "My test database secret created with the CLI"
--kms-key-id arn:aws:kms:GIVEN_KEY_ID