我设置了一个 CMK(自定义托管密钥)来使用 AWS 系统会话管理器加密日志组:
首先,在 KMS 控制台中添加“关键管理员”和“关键用户/角色”的权限。
接下来,CMK 在 AWS Systems Manager Session Manager Preferences 中附加到 LogGroup,如下图所示:
错误:
指定的 KMS 密钥不存在或不允许与 LogGroup 'arn:aws:logs:my_region:my_account_id:log-group:/SSM' 一起使用
密钥必须存在,因为它用于加密会话并且没有正确解密 LogGroup,但它链接到 LogGroup 并且用户具有权限。是什么赋予了?
我试图复制你的问题。
我的会话管理器设置:
CloudWatch 日志组已使用 CLI加密:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
启动会话管理器后,我可以确认它已加密:
基于此验证,要使其正常工作,唯一需要做的就是设置 KMS 密钥策略。我在我的 KMS 中添加了以下内容(SSMRole是实例角色,其他条目应该是不言自明的):
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}