本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 在 CloudTrail 控制台中创建的默认 KMS 密钥策略
<a name="default-kms-key-policy"></a>

如果您在 CloudTrail 控制台 Amazon KMS key 中创建，则会自动为您创建以下策略。该策略允许以下权限：
+ 允许 KMS 密钥的 Amazon Web Services 账户 （根）权限。
+  CloudTrail 允许对 KMS 密钥下的日志文件和摘要文件进行加密，并描述 KMS 密钥。
+ 允许指定账户中的所有用户解密日志文件和摘要文件。
+ 允许指定账户中的所有用户为 KMS 密钥创建 KMS 别名。
+ 为创建跟踪的账户的账户 ID 启用跨账户日志解密。

**Topics**
+ [用于跟踪的默认 KMS 密钥策略](#default-kms-key-policy-trail)

## 用于跟踪的默认 KMS 密钥策略
<a name="default-kms-key-policy-trail"></a>

以下是为您在跟踪中使用的创建的默认策略。 Amazon KMS key 

**注意**  
该策略包含一条语句，允许使用 KMS 密钥跨账户解密日志文件和摘要文件。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Id": "Key policy created by CloudTrail",
    "Statement": [
        {
            "Sid": "Enable IAM user permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:root",
                    "arn:aws:iam::111111111111:user/username"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
             },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-name"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
             },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Allow principals in the account to decrypt log files",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
             },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "111111111111"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
                }
            }
        },
        {
            "Sid": "Enable cross account log decryption",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "111111111111"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
                }
            }
        }
    ]
}
```

------