Amazon KMS 的基于资源的策略示例 - Amazon Database Migration Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon KMS 的基于资源的策略示例

Amazon DMS 允许您创建自定义 Amazon KMS 加密密钥来加密支持的目标端点数据。要了解如何创建密钥策略并将其附加到为支持的目标数据加密而创建的加密密钥,请参阅 创建 Amazon KMS 密钥并使用该密钥对 Amazon Redshift 目标数据进行加密创建 Amazon KMS 密钥以加密 Amazon S3 目标对象

用于加密 Amazon Redshift 目标数据的自定义 Amazon KMS 加密密钥的政策

以下示例显示了为 Amazon KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon Redshift 目标数据而创建的。

{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon Redshift 目标端点数据。在该示例中,该角色为 DMS-Redshift-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-Redshift-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。此类用户还可以生成用于导出的数据密钥来加密 Amazon KMS 外部的数据。还可以返回有关 Amazon KMS 密钥的详细信息,例如,您刚刚创建的密钥。此外,此类用户还可以管理 Amazon 资源的附件,如目标端点。

用于加密 Amazon S3 目标数据的自定义 Amazon KMS 加密密钥的政策

以下示例显示了为 Amazon KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon S3 目标数据而创建的。

{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ]

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon S3 目标端点数据。在该示例中,该角色为 DMS-S3-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-S3-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。此类用户还可以生成用于导出的数据密钥来加密 Amazon KMS 外部的数据。还可以返回有关 Amazon KMS 密钥的详细信息,例如,您刚刚创建的密钥。此外,此类用户还可以管理 Amazon 资源的附件,如目标端点。