我正在尝试创建 RDS 数据库并使用 CMK 对其进行加密,是否可以限制自己使用此 KMS 密钥?遵守GDPR规则
示例: 我不希望能够解密或加密、创建快照或从我创建的数据库恢复快照。
我使用的关键策略:
data "aws_iam_policy_document" "kms" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = "${local.arn}"
}
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
]
resources = ["*"]
}
}
上述政策有什么问题吗?
如果您想确保特定 IAM 实体(用户、角色或组)没有使用特定 KMS 密钥的权限,您可以从 IAM 策略的资源字段中排除该密钥,并设置您的按照评论中的建议声明“拒绝”。
试试这个
data "aws_iam_policy_document" "kms" {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "${aws_kms_key.your_key.arn}"
},
{
"Effect": "Allow",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
将“your_key”替换为您要排除的 KMS 密钥的实际名称或 ARN。