在 CloudTrail 控制台中创建的默认 KMS 密钥策略 - Amazon CloudTrail
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

在 CloudTrail 控制台中创建的默认 KMS 密钥策略

如果您在 CloudTrail 控制台中创建 Amazon KMS key,则会自动为您创建以下策略。该策略允许以下权限:

  • 允许 Amazon 账户(根账户)对 KMS 密钥的权限。

  • 允许 CloudTrail 在 KMS 密钥下加密日志文件并描述 KMS 密钥。

  • 允许指定账户中的所有用户解密日志文件。

  • 允许指定账户中的所有用户为 KMS 密钥创建 KMS 别名。

  • 为创建跟踪的账户的账户 ID 启用跨账户日志解密。

{
    "Version": "2012-10-17",
    "Id": "Key policy created by CloudTrail",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {"AWS": [
                "arn:aws:iam::account-id:root",
                "arn:aws:iam::account-id:user/username"
            ]},
            "Action": "kms:*",
            "Resource": "arn:aws:s3:::myBucketName"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
            "Action": "kms:GenerateDataKey*",
            "Resource": "arn:aws:kms:Region:account_ID:key/key_ID",
            "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*"}}
        },
        {
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
            "Action": "kms:DescribeKey",
            "Resource": "arn:aws:kms:Region:account_ID:key/key_ID"
        },
        {
            "Sid": "Allow principals in the account to decrypt log files",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "arn:aws:kms:Region:account_ID:key/key_ID",
            "Condition": {
                "StringEquals": {"kms:CallerAccount": "account-id"},
                "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*"}
            }
        },
        {
            "Sid": "Allow alias creation during setup",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": "kms:CreateAlias",
            "Resource": "arn:aws:kms:Region:account_ID:key/key_ID",
            "Condition": {"StringEquals": {
                "kms:ViaService": "ec2.region.amazonaws.com",
                "kms:CallerAccount": "account-id"
            }}
        },
        {
            "Sid": "Enable cross account log decryption",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "arn:aws:kms:Region:account_ID:key/key_ID",
            "Condition": {
                "StringEquals": {"kms:CallerAccount": "account-id"},
                "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*"}
            }
        }
    ]
}
注意

该策略的最后一条语句允许使用 KMS 密钥跨账户解密日志文件。