本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 基于资源的策略示例 Amazon KMS
Amazon DMS 允许您创建自定义 Amazon KMS 加密密钥来加密支持的目标端点数据。要了解如何创建密钥策略并将其附加到为支持的目标数据加密而创建的加密密钥,请参阅 [创建和使用 Amazon KMS 密钥对亚马逊 Redshift 目标数据进行加密](CHAP_Target.Redshift.md#CHAP_Target.Redshift.KMSKeys) 和 [创建用于加密 Amazon S3 目标对象的 Amazon KMS 密钥](CHAP_Target.S3.md#CHAP_Target.S3.KMSKeys)。
**Topics**
+ [用于加密亚马逊 Redshift 目标数据的自定义 Amazon KMS 加密密钥的策略](#security_iam_resource-based-policy-examples-custom-rs-key-policy)
+ [用于加密 Amazon S3 目标数据的自定义 Amazon KMS 加密密钥的策略](#security_iam_resource-based-policy-examples-custom-s3-key-policy)
## 用于加密亚马逊 Redshift 目标数据的自定义 Amazon KMS 加密密钥的策略
以下示例显示了为 Amazon KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon Redshift 目标数据而创建的。
------
#### [ JSON ]
****
```
{
"Id": "key-consolepolicy-3",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:root"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/Admin"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
```
------
在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon Redshift 目标端点数据。在该示例中,该角色为 `DMS-Redshift-endpoint-access-role`。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 `DMS-Redshift-endpoint-access-role` 的用户都可以对目标数据进行加密、解密和重新加密。这样的用户还可以生成数据密钥以供导出,以加密外部的数据 Amazon KMS。它们还可以返回有关 Amazon KMS 密钥的详细信息,例如您刚刚创建的密钥。此外,此类用户还可以管理 Amazon 资源的附件,如目标端点。
## 用于加密 Amazon S3 目标数据的自定义 Amazon KMS 加密密钥的策略
以下示例显示了为 Amazon KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon S3 目标数据而创建的。
------
#### [ JSON ]
****
```
{
"Id": "key-consolepolicy-3",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:root"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/Admin"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
```
------
在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon S3 目标端点数据。在该示例中,该角色为 `DMS-S3-endpoint-access-role`。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 `DMS-S3-endpoint-access-role` 的用户都可以对目标数据进行加密、解密和重新加密。这样的用户还可以生成数据密钥以供导出,以加密外部的数据 Amazon KMS。它们还可以返回有关 Amazon KMS 密钥的详细信息,例如您刚刚创建的密钥。此外,此类用户还可以管理 Amazon 资源的附件,如目标端点。