8

我正在尝试设置跨账户访问以允许外部账户使用我的 KMS 密钥来解密来自 S3 存储桶的数据。我有密钥、策略、角色设置,我认为是正确的授权,但我无法描述来自外部帐户的密钥。希望得到一些关于我做错了什么的意见。

帐户 111:向外部帐户的根授予策略授权的密钥 (999)

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

帐户 999 中的角色,附加策略授予从 111 访问密钥的权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*"
        }
    ]
}

然而,当我使用 aws-shell 在 999 中担任角色时:

aws> kms describe-key --key-id=abc-def

An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
4

2 回答 2

11

您的密钥、角色和策略设置正确。当您调用describe-key不同 AWS 账户上的客户主密钥 (CMK) 时,您必须在key-id参数值中指定密钥 ARN 或别名 ARN。

来自官方文档

要对不同 AWS 账户中的 CMK 执行此操作,请在 KeyId 参数的值中指定密钥 ARN 或别名 ARN。

也就是说,如果您执行以下操作,它将起作用:

aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
于 2018-01-18T16:34:49.053 回答
0

如果一切似乎都正常,请特别注意关键的政策条件。例如,下面的策略似乎允许 AccountA 使用密钥。

    {
        "Sid": "Allow use of the key for SSM only",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::AccountA:root"
        },
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:ViaService": [
                    "ssm.*.amazonaws.com",
                    "autoscaling.*.amazonaws.com"
                ]
            }
        }
    },
    {
        "Sid": "Allow reading of key metadata",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::AccountA:root"
        },
        "Action": "kms:DescribeKey",
        "Resource": "*"
    },
    {
        "Sid": "Allow attachment of persistent resources",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::AccountA:root"
        },
        "Action": [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
        ],
        "Resource": "*"
    }

但是,如果您更仔细地检查条件,您会发现密钥的使用仅限于某些具有“viaService”条件的服务。

当请求来自特定服务时,您还可以使用 kms:ViaService 条件键拒绝使用 CMK 的权限。

更多信息AWS 文档参考

在这种情况下,密钥仅限于 ec2 和自动缩放。如果您从 ec2 实例执行“aws kms describe-key”,您将能够看到响应,但您将无法将其用于 AWS Secret Manager 等其他服务。换句话说,以下命令将从同一个 ec2 实例失败。

aws secretsmanager create-secret --name MyTestSecret \
--description "My test database secret created with the CLI" \
--kms-key-id arn:aws:kms:GIVEN_KEY_ID
于 2019-06-05T01:21:07.970 回答