KMS Admin
KMS管理员
拥有KMS 资源的完整访问和创建删除权限,但不提供执行加密和解密操作的权限。加密和解密由执行数据处理的程序或者个人使用。
如何配置
IAM
Step 1: 创建group
Global区域:推荐使用IAM Identity Center,创建Group,可以起名为KMSAdmin;
China区域:使用IAM,创建User Groups,可以起名为KMSAdmin;
Step2: 创建policies
创建新的策略,策略中允许创建和管理KMS,但是不允许使用kms加密和解密。去掉Write权限分组中的Decrypt和Encrypt。
如果有特殊需求,可以复制出预置策略,在预置策略的基础上进行修改。
下面的代码示例中将“123456789012”替换为自己的账号。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMrelated",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
},
{
"Sid": "KMSAdmin",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:GetPublicKey",
"kms:ImportKeyMaterial",
"kms:UntagResource",
"kms:PutKeyPolicy",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Verify",
"kms:ListResourceTags",
"kms:CancelKeyDeletion",
"kms:ReplicateKey",
"kms:GenerateDataKeyPair",
"kms:GetParametersForImport",
"kms:SynchronizeMultiRegionKey",
"kms:GenerateMac",
"kms:TagResource",
"kms:UpdatePrimaryRegion",
"kms:GetKeyRotationStatus",
"kms:ScheduleKeyDeletion",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:Sign",
"kms:CreateGrant",
"kms:EnableKeyRotation",
"kms:ListKeyPolicies",
"kms:UpdateKeyDescription",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:DeleteImportedKeyMaterial",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:DisableKey",
"kms:ReEncryptFrom",
"kms:DisableKeyRotation",
"kms:RetireGrant",
"kms:ListGrants",
"kms:VerifyMac",
"kms:UpdateAlias",
"kms:RevokeGrant",
"kms:GenerateDataKey",
"kms:CreateAlias",
"kms:DeleteAlias"
],
"Resource": [
"arn:aws:kms:*:123456789012:alias/*",
"arn:aws:kms:*:123456789012:key/*"
]
},
{
"Sid": "ListKMS",
"Effect": "Allow",
"Action": [
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:DeleteCustomKeyStore",
"kms:GenerateRandom",
"kms:UpdateCustomKeyStore",
"kms:ListAliases",
"kms:DisconnectCustomKeyStore",
"kms:CreateKey",
"kms:ConnectCustomKeyStore",
"cloudhsm:DescribeClusters",
"kms:CreateCustomKeyStore"
],
"Resource": "*"
}
]
}Step3: 创建user,放入分组中
给允许拥有安全管理员权限的人创建user,并分配到之前创建的KMSAdmin的组中。
最后更新于