在 CloudTrail 控制台中创建的默认 KMS 密钥策略
如果您在 CloudTrail 控制台中创建 Amazon KMS key,则会自动为您创建以下策略。该策略允许以下权限:
-
允许 Amazon 账户(根账户)对 KMS 密钥的权限。
-
允许 CloudTrail 在 KMS 密钥下加密日志文件并描述 KMS 密钥。
-
允许指定账户中的所有用户解密日志文件。
-
允许指定账户中的所有用户为 KMS 密钥创建 KMS 别名。
-
为创建跟踪的账户的账户 ID 启用跨账户日志解密。
{ "Version": "2012-10-17", "Id": "Key policy created by CloudTrail", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::
account-id
:root", "arn:aws:iam::account-id
:user/username
" ]}, "Action": "kms:*", "Resource": "arn:aws:s3:::myBucketName
" }, { "Sid": "Allow CloudTrail to encrypt logs", "Effect": "Allow", "Principal": {"Service": ["cloudtrail.amazonaws.com"]}, "Action": "kms:GenerateDataKey*", "Resource": "arn:aws:kms:Region
:account_ID
:key/key_ID
", "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id
:trail/*"}} }, { "Sid": "Allow CloudTrail to describe key", "Effect": "Allow", "Principal": {"Service": ["cloudtrail.amazonaws.com"]}, "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:Region
:account_ID
:key/key_ID
" }, { "Sid": "Allow principals in the account to decrypt log files", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "arn:aws:kms:Region
:account_ID
:key/key_ID
", "Condition": { "StringEquals": {"kms:CallerAccount": "account-id
"}, "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id
:trail/*"} } }, { "Sid": "Allow alias creation during setup", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": "kms:CreateAlias", "Resource": "arn:aws:kms:Region
:account_ID
:key/key_ID
", "Condition": {"StringEquals": { "kms:ViaService": "ec2.region
.amazonaws.com", "kms:CallerAccount": "account-id
" }} }, { "Sid": "Enable cross account log decryption", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "arn:aws:kms:Region
:account_ID
:key/key_ID
", "Condition": { "StringEquals": {"kms:CallerAccount": "account-id
"}, "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id
:trail/*"} } } ] }
该策略的最后一条语句允许使用 KMS 密钥跨账户解密日志文件。