我正在尝试创建一个策略,允许用户查看所有参数存储值,除非它是由
dev
kms 密钥加密的。以下是我写的政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDecryptForDevKey",
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:RequestAlias": "dev"
}
}
},
{
"Sid": "AllowDecryptIfNotDevKey",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:RequestAlias": "dev"
}
}
},
{
"Sid": "GetSSMParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
}
但是当我尝试在 UI 中创建它时,它显示了策略中定义的以下权限。
| Explicit deny (1 of 402 services) |
|------------------------------------|
| Service | Access level | Resource | Request condition |
|--------------|--------------|----------------|---------------------------|
| KMS | Limited: Write | All resources | kms:RequestAlias = dev |
| Allow (1 of 402 services) |
|-----------------------------------|
| Service | Access level | Resource | Request condition |
|------------------|--------------|----------------|-------------------|
| KMS | Limited: Write | All resources | kms:RequestAlias !== dev |
| Systems Manager | Limited: Read | All resources | None |
这就是我测试的方式:
SecureString
的参数并使用密钥 dev
SecureString
的参数,并使用不是 dev
的密钥对其进行加密。testing-role
受信任实体类型为 AWS 账户。testing-role
)以及 AWS 账户 ID 来切换角色。Show decrypted value
但不知何故,我仍然能够解密由
dev
密钥加密的任何秘密。谢谢你。
这是有效的政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDecryptIfDevKey",
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"kms:ResourceAliases": "alias/dev*"
}
}
},
{
"Sid": "AllowDecrypt",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
},
{
"Sid": "GetSSMParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]