了解KMS政策？ [英] understanding kms policy?

问题描述

我有一个名为group-dev的IAM组，并有几个用户连接到此组，我有自定义的IAM策略(如下所示)。仅此IAM策略是否足以让该组中的用户加密并列出KMS密钥？

基本上我的目标是创建IAM组，将策略附加到几个用户，当添加新用户时，我不想做重复的工作，比如将他们添加到组中，然后将他们添加到KMS关键策略中。那么，它是否适用于以下政策？

IAM组内联策略

{
      "Action": [
        "kms:List*",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:Describe*",
        "kms:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },

kms policy 


{
    "Id": "key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }

以下是来自AWS文档的片段：https://docs.amazonaws.cn/en_us/kms/latest/developerguide/kms-dg.pdf#page=95&zoom=100,96,105

Allowing multiple IAM users to access a CMK
IAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of
the following:
• Add each IAM user to the key policy. This approach requires that you update the key policy each time
the list of authorized users changes.
• Ensure that the key policy includes the statement that enables IAM policies to allow access to the
CMK (p. 72). Then create an IAM policy that allows access to the CMK, and then attach that policy to
an IAM group that contains the authorized IAM users. Using this approach, you don't need to change
any policies when the list of authorized users changes. Instead, you only need to add or remove those
users from the appropriate IAM group.

看起来有相互矛盾的陈述，或者是我误解了什么？

. Enables IAM policies to allow access to the CMK.
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them
in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full
access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the
account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it
enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS
CMKs (p. 69).

CMK

首先为了比较这些密钥如何协同工作，每个推荐答案(客户管理密钥)都是使用密钥策略创建的，该密钥策略限制哪个主体(即IAM角色/IAM用户/服务的调用者)可以访问它(以及主体将拥有的权限)。无论您授予哪种IAM权限，如果您的密钥策略不允许任何IAM用户(包括根用户)都无法执行该操作，则不重要。

附加到用户的IAM策略将授予用户可以执行的最大权限。评估操作时，还会评估关键策略权限，如果两个策略都允许该权限，则将允许主体执行该操作。

因此，总而言之，对于KMS，密钥策略和IAM策略权限都必须允许访问。您拥有的权限将允许用户拥有对KMS密钥的大部分访问权限。

这篇关于了解KMS政策？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！