使用密钥策略 - Amazon Key Management Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

使用密钥策略

本主题中的示例使用 Amazon KMS API 查看和更改 Amazon KMS keys 的密钥策略。

有关如何使用密钥策略、IAM 策略管理和授权对您的 KMS 密钥的访问的详细信息,请参阅 Amazon KMS 的身份验证和访问控制。有关编写和格式化 JSON 策略文档的帮助,请参阅 IAM 用户指南中的 IAM JSON 策略参考

列出密钥策略名称

要获取 Amazon KMS key 的密钥策略名称,请使用 ListKeyPolicies 操作。它返回的唯一密钥策略名称是 default

在需要客户端对象的语言中,这些示例使用您在 Amazon KMS 中创建的 创建客户端 客户端对象。

Java

有关 Java 实施的详细信息,请参阅中的 Amazon SDK for Java API 参考中的 listKeyPolicies 方法

// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req);
C#

有关详细信息,请参阅 https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/KeyManagementService/MKeyManagementServiceListKeyPoliciesListKeyPoliciesRequest.html 中的 Amazon SDK for .NETListKeyPolicies 方法

// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest listKeyPoliciesRequest = new ListKeyPoliciesRequest() { KeyId = keyId }; ListKeyPoliciesResponse listKeyPoliciesResponse = kmsClient.ListKeyPolicies(listKeyPoliciesRequest);
Python

有关详细信息,请参阅 中的 list_key_policies 方法Amazon SDK for Python (Boto3)。

# List key policies # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kms_client.list_key_policies( KeyId=key_id )
Ruby

有关详细信息,请参阅 https://docs.amazonaws.cn/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_key_policies-instance_method 中的 Amazon SDK for Rubylist_key_policies 实例方法。

# List key policies # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kmsClient.list_key_policies({ key_id: key_id })
PHP

有关详细信息,请参阅 https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeypolicies 中的 Amazon SDK for PHPListKeyPolicies 方法

// List key policies // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId ]);
Node.js

有关详细信息,请参阅适用于 Node.js 中的 JavaScript 的 Amazon 开发工具包中的 listKeyPolicies 属性

// List key policies // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.listKeyPolicies({ KeyId }, (err, data) => { ... });
PowerShell

要列出默认密钥策略的名称,请使用 Get-KMSKeyPolicyList cmdlet。

# List key policies # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $response = Get-KMSKeyPolicyList -KeyId $keyId

要使用 Amazon KMS PowerShell cmdlets,请安装 AWS.Tools.KeyManagementService 模块。有关更多信息,请参阅 Amazon Tools for Windows PowerShell 用户指南

获取密钥策略

要获取 Amazon KMS key 的密钥策略,请使用 GetKeyPolicy 操作。

GetKeyPolicy 需要策略名称。唯一有效的策略名称是 default

在需要客户端对象的语言中,这些示例使用您在 Amazon KMS 中创建的 创建客户端 客户端对象。

Java

有关详细信息,请参阅 Amazon SDK for Java API 参考中的 getKeyPolicy 方法

// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName); GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);
C#

有关详细信息,请参阅 https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/KeyManagementService/MKeyManagementServiceGetKeyPolicyGetKeyPolicyRequest.html 中的 Amazon SDK for .NETGetKeyPolicy 方法

// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest getKeyPolicyRequest = new GetKeyPolicyRequest() { KeyId = keyId, PolicyName = policyName }; GetKeyPolicyResponse getKeyPolicyResponse = kmsClient.GetKeyPolicy(getKeyPolicyRequest);
Python

有关详细信息,请参阅 中的 get_key_policy 方法Amazon SDK for Python (Boto3)。

# Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kms_client.get_key_policy( KeyId=key_id, PolicyName=policy_name )
Ruby

有关详细信息,请参阅 https://docs.amazonaws.cn/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_key_policy-instance_method 中的 Amazon SDK for Rubyget_key_policy 实例方法。

# Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kmsClient.get_key_policy({ key_id: key_id, policy_name: policy_name })
PHP

有关详细信息,请参阅 https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#getkeypolicy 中的 Amazon SDK for PHPGetKeyPolicy 方法

// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName ]);
Node.js

有关详细信息,请参阅适用于 Node.js 中的 JavaScript 的 Amazon 开发工具包中的 getKeyPolicy 属性

// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; kmsClient.getKeyPolicy({ KeyId, PolicyName }, (err, data) => { ... });
PowerShell

要获取 KMS 密钥的密钥策略,请使用 Get-KMSKeyPolicy cmdlet。此 cmdlet 将密钥策略作为字符串 (System.String) 返回,您可以在 Write-KMSKeyPolicy (PutKeyPolicy) 命令中使用该字符串。要将 JSON 字符串中的策略转换为 PSCustomObject 对象,请使用 ConvertFrom-JSON cmdlet。

# Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default' $response = Get-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName

要使用 Amazon KMS PowerShell cmdlets,请安装 AWS.Tools.KeyManagementService 模块。有关更多信息,请参阅 Amazon Tools for Windows PowerShell 用户指南

设置密钥策略

要创建或替换 KMS 密钥的密钥策略,请使用 PutKeyPolicy 操作。

PutKeyPolicy 需要策略名称。唯一有效的策略名称是 default

在需要客户端对象的语言中,这些示例使用您在 Amazon KMS 中创建的 创建客户端 客户端对象。

Java

有关详细信息,请参阅 Amazon SDK for Java API 参考中的 putKeyPolicy 方法

// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName); kmsClient.putKeyPolicy(req);
C#

有关详细信息,请参阅 https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/KeyManagementService/MKeyManagementServicePutKeyPolicyPutKeyPolicyRequest.html 中的 Amazon SDK for .NETPutKeyPolicy 方法

// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest() { KeyId = keyId, Policy = policy, PolicyName = policyName }; kmsClient.PutKeyPolicy(putKeyPolicyRequest);
Python

有关详细信息,请参阅 中的 put_key_policy 方法Amazon SDK for Python (Boto3)。

# Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = """ { "Version": "2012-10-17", "Statement": [{ "Sid": "Allow access for ExampleUser", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": "*" }] }""" response = kms_client.put_key_policy( KeyId=key_id, Policy=policy, PolicyName=policy_name )
Ruby

有关详细信息,请参阅 https://docs.amazonaws.cn/sdk-for-ruby/v3/api/Aws/KMS/Client.html#put_key_policy-instance_method 中的 Amazon SDK for Rubyput_key_policy 实例方法。

# Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + # Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}" response = kmsClient.put_key_policy({ key_id: key_id, policy: policy, policy_name: policy_name })
PHP

有关详细信息,请参阅 https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#putkeypolicy 中的 Amazon SDK for PHPPutKeyPolicy 方法

// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } ' ]);
Node.js

有关详细信息,请参阅适用于 Node.js 中的 JavaScript 的 Amazon 开发工具包中的 putKeyPolicy 属性

// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; const Policy = `{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] }`; // The key policy document kmsClient.putKeyPolicy({ KeyId, Policy, PolicyName }, (err, data) => { ... });
PowerShell

要为 KMS 密钥设置密钥策略,请使用 Write-KMSKeyPolicy cmdlet。此 cmdlet 不返回任何输出。要验证该命令是否有效,请使用 Get-KMSKeyPolicy cmdlet。

Policy 参数接受一个字符串。用单引号将字符串括起来,使其成为文本字符串。您不必在文本字符串中使用延续字符或转义字符。

# Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default' $policy = '{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" }] }' Write-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName -Policy $policy

要使用 Amazon KMS PowerShell cmdlets,请安装 AWS.Tools.KeyManagementService 模块。有关更多信息,请参阅 Amazon Tools for Windows PowerShell 用户指南