KMS key策略

仅允许组织范围内的资源代入role：替换组织id，"<my-org-id>"；x

还可以通过限制访问者的IP段以增加安全性。替换"<my-corporate-cidr>"为公司的办公网IP段。

或者也可以指定允许使用代入角色的某个iam role，替换"arn:aws:iam::<my-account-id>:role/aws-service-role/*"为可信的角色ARN。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceIdentityPerimeter",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "kms:*",
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "aws:PrincipalOrgID": "<my-org-id>"
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false"
                }
            }
        },
        {
            "Sid": "EnforceNetworkPerimeter",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "kms:*",
            "Resource": "*",
            "Condition": {
                "NotIpAddressIfExists": {
                    "aws:SourceIp": "<my-corporate-cidr>"
                },
                "StringNotEqualsIfExists": {
                    "aws:SourceVpc": "<my-vpc>",
                    "aws:PrincipalTag/network-perimeter-exception": "true"
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false",
                    "aws:ViaAWSService": "false"
                },
                "ArnNotLikeIfExists": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<my-account-id>:role/aws-service-role/*",
                        "arn:aws:iam::*:role/aws:ec2-infrastructure"
                    ]    
                },
                "StringEquals": {
                    "aws:PrincipalTag/data-perimeter-include": "true"
                }
            }
        }
    ]
}

参考资料

Github - https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_based_policies/kms_key_policy.json