AWSKMS密钥策略未授予CloudTrail足够的多账户访问权限。 _编程开发

AWSKMS密钥策略未授予CloudTrail足够的多账户访问权限。

创始人

2024-11-19 07:32:12

0次

添加CloudTrail的ARN到KMS密钥策略中。例如，以下策略可允许CloudTrail对指定的KMS密钥进行加密和解密操作：

{
   "Version": "2012-10-17",
   "Id": "key-default-1",
   "Statement": [
      {
         "Sid": "Enable IAM User Permissions",
         "Effect": "Allow",
         "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
         "Action": "kms:*",
         "Resource": "*"
      },
      {
         "Sid": "Enable CloudTrail to encrypt logs",
         "Effect": "Allow",
         "Principal": {"Service": "cloudtrail.amazonaws.com"},
         "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt"
         ],
         "Resource": "*",
         "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:123456789012:*"}}
      }
   ]
}

在其他AWS账户中创建一个CloudTrail跟踪器，然后将该跟踪器配置为写入到主AWS账户中的S3存储桶。这样，主AWS账户中的KMS密钥可以加密和解密跨账户的CloudTrail日志。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/EXAMPLE2",
            "Condition": {
                "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2

上一篇：AWSKMS加密解密API调用是否受呼叫区域限制？

下一篇：AWSKMS密钥轮换是否会自动重新加密存储在SSM参数存储中的SecureString值？

AWSKMS密钥策略未授予CloudTrail足够的多账户访问权限。

相关内容

热门资讯