我第一次使用 AWS SES,让该服务为新组织创建一些默认加密密钥来加密电子邮件。但是,当我删除该组织时,密钥仍然存在。我现在无法安排删除它们,因为我没有必要的权限,即使以 root 用户身份签名也是如此。以下是这些密钥的当前政策:
{
"Version": "2012-10-17",
"Id": "auto-ses-2",
"Statement": [
{
"Sid": "Allow SES to encrypt messages belonging to this account",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:ses:source-account": "915144628597"
},
"Null": {
"kms:EncryptionContext:aws:ses:rule-name": "false",
"kms:EncryptionContext:aws:ses:message-id": "false"
}
}
},
{
"Sid": "Allow SES to describe this key",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow direct access to key metadata & decryption to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::915144628597:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
如您所见,root 帐户既没有计划删除密钥的权限,也没有放置新密钥策略的权限。据我所知,我实际上无法删除这些键。我可以找到的有关此问题的所有文档和以前的帖子都假定用户自己创建了密钥,而我没有。所以我想在搞砸提交客户服务票之前,我会向社区征求建议。非常感谢您的帮助!