问题描述

在 KMS 中，有亚马逊别名键(例如/alias/aws/s3 )和客户主密钥(CMK).

In KMS there are the amazon aliased keys (e.g./alias/aws/s3) and Customer Master Keys (CMKs).

对于每个开发团队，我都有一些带有别名的CMK(例如/alias/team1/default ，/alias/team1/confidential )

For each development team, I have a few CMKs with aliases (e.g. /alias/team1/default, /alias/team1/confidential)

我想允许所有IAM用户/组/角色访问aws别名键，但要提供团队级别对团队级别密钥的访问权限

I'd like to allow access to the aws aliased keys to all IAM users/groups/roles, but provide team level access to team level keys

当我试图允许访问AWS托管密钥时出现了我的问题

My issue comes when trying to allow access to aws managed keys

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": [
        "iam:*",
        "kms:*"
      ],
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:MultiFactorAuthAge": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Resource": "arn:aws:kms:us-east-1:111111111111:alias/aws/*",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Condition": {
        "Null": {
          "aws:MultiFactorAuthAge": "false"
        }
      }
    }
  ]
}

提供对 iam:* 和 kms:* 的隐式拒绝，但允许访问AWS别名键

To provide implicit deny to iam:* and kms:*, but allow access to aws aliased Keys

使用IAM策略模拟器时，好像我必须提供对全键arn的访问权限( arn:aws:kms:us-east-1:111111111111:key/abcd123-acbd-1234-abcd-acbcd1234abcd )而不是别名( arn:aws:kms:us-east-1:111111111111:alias/aws/* )

When working with the IAM policy simulator, it looks like I have to provide access to the full key arn (arn:aws:kms:us-east-1:111111111111:key/abcd123-acbd-1234-abcd-acbcd1234abcd) rather than the alias (arn:aws:kms:us-east-1:111111111111:alias/aws/*)

是否有更好的方法来管理此问题?

Is there a better way to manage this?

我知道我可以使用密钥策略管理对CMK的访问，并且不允许从IAM进行访问，但是您不能在KMS密钥策略中将组用作 Principal

I know I can manage access to CMKs using key policies and not allow access from IAM, but you can't use groups as a Principal in a KMS key policy

推荐答案

您可以将密钥别名用作API的资源，这些API用于控制对以Aliase本身(例如，Create/Delete Alias)和别名不能代替密钥ID用作ARN，以控制对基础密钥的访问.您可以参考以下URL中的表格，该表格说明了要与KMS API一起使用的资源/ARN.

You can use key alias as the resource for APIs which are used to control access to APIs that act on the Aliases themselves (e.g. Create/Delete Alias) and an alias can not be used as ARN in place of a Key ID to control access to the underlying keys. You can refer to the table in the following URL which explains which resource/ARN to use with KMS APIs.

http://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html

您可以考虑采用这种方法:允许IAM组承担IAM角色，并在CMK的关键策略中允许IAM角色.

You can consider this approach: Allow the IAM Group to assume an IAM role and allow the IAM role in the CMK's key policy.

来源: https://forums.aws.amazon.com/thread.jspa?threadID = 173540

这篇关于IAM策略仅授予对Amazon别名密钥的访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！