本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
基线 KMS 密钥和 IAM 策略语句
此处提供的基线 KMS 密钥和基于身份的策略可作为常见需求的基础。我们还建议您查看 高级 KMS 密钥策略语句,其中提供更细粒度的访问控制,例如确保 KMS 密钥仅可由特定的 IAM Identity Center 实例或 Amazon 托管应用程序访问。在使用高级 KMS 密钥策略语句之前,请查看 选择基线与高级 KMS 密钥策略语句的注意事项。
以下部分提供了每个使用案例的基线策略语句。展开与您的用例相匹配的部分,然后复制 KMS 密钥策略声明。然后,返回到步骤 2:准备 KMS 密钥策略语句。
在 步骤 2:准备 KMS 密钥策略语句 中使用以下 KMS 密钥策略语句模板,允许 IAM Identity Center、其关联的 Identity Store 和 IAM Identity Center 管理员使用 KMS 密钥。
-
在管理员策略声明的委托人元素中,使用 “arn: aws: iam:: 111122223333: root” 的格式指定 IAM Identity Center 管理账户(即 Amazon 组织管理账户和委托管理账户)的账户委托人。 Amazon
-
在 PrincipalArn 元素中,将示例 ARNs 替换为 IAM 身份中心管理员的 IAM 角色。
您可以指定下列之一:
-
特定的 IAM 角色 ARN:
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_12345678" -
通配符模式(推荐):
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_*"
使用通配符(
*)可以防止在权限集被删除和重新创建时丢失访问权限,因为 Identity Center 会为重新创建的权限集生成新的唯一标识符。有关实现示例,请参阅自定义信任策略示例。 -
-
在 SourceAccount 元素中,指定 IAM 身份中心账户 ID。
-
Identity Store 有自己的服务主体
identitystore.amazonaws.com,必须允许其使用 KMS 密钥。 -
这些政策声明允许您在特定 Amazon 账户中的 IAM 身份中心实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 高级 KMS 密钥策略语句。每个 Amazon 账户只能有一个 IAM 身份中心实例。
KMS 密钥策略语句
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] }, "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] }, "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", "kms:ViaService": "identitystore.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] } } }, { "Sid": "AllowIAMIdentityCenterToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "sso.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "AllowIdentityStoreToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "identitystore.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", "Effect": "Allow", "Principal": { "Service": [ "identitystore.amazonaws.com", "sso.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*" } ] }
在 步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略 中使用以下 IAM 策略语句模板,允许 IAM Identity Center 管理员使用 KMS 密钥。
-
将
Resource元素中的示例密钥 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 在哪里可以找到所需的标识符。 -
这些 IAM 政策声明向 IAM 委托人授予 KMS 密钥访问权限,但不限制哪些 Amazon 服务可以发出请求。KMS 密钥策略通常提供这些服务限制。但是,您可以向此 IAM 策略添加加密上下文,以限制对特定 Identity Center 实例的使用。有关详细信息,请参阅高级 KMS 密钥策略语句。
IAM Identity Center 委托管理员所需的 IAM 策略语句
{ "Version": "2012-10-17", "Statement": [{ "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" } ] }
注意
某些 Amazon 托管应用程序不能与配置了客户托管 KMS 密钥的 IAM 身份中心一起使用。更多信息,请参阅可与 IAM Identity Center 配合使用的Amazon 托管应用程序。
使用以下 KMS 密钥策略声明模板步骤 2:准备 KMS 密钥策略语句允许 Amazon 托管应用程序及其管理员使用 KMS 密钥。
-
在 Amazon Organizations 身份证和 SourceOrgId 条件中插入您的 PrincipalOrg身份证件。有关查找引用标识符值的帮助,请参阅 在哪里可以找到所需的标识符。
-
这些政策声明允许您的任何 Amazon 托管应用程序和 Amazon 组织中的任何 IAM 委托人(应用程序管理员)通过 IAM Identity Center 和 Identity kms: Store 使用 Decrypt。要将这些策略语句限制为特定的 Amazon 托管应用程序、账户或 IAM Identity Center 实例,请参阅 高级 KMS 密钥策略语句。
您可以通过将
*替换为特定的 IAM 主体来限制对特定应用程序管理员的访问。为防止在重新创建权限集时 IAM 角色名称发生更改,请使用 自定义信任策略示例 中的方法。有关更多信息,请参阅 选择基线与高级 KMS 密钥策略语句的注意事项。
KMS 密钥策略语句
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-a1b2c3d4e5" }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-a1b2c3d4e5" }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" }, "StringEquals": { "aws:SourceOrgID": "o-a1b2c3d4e5" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" }, "StringEquals": { "aws:SourceOrgID": "o-a1b2c3d4e5" } } } ] }
在 步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略 中使用以下 IAM 策略语句模板,允许 Amazon 托管应用程序的管理员从成员账户使用 KMS 密钥。
-
将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 在哪里可以找到所需的标识符。
-
某些 Amazon 托管应用程序要求您为 IAM 身份中心服务配置权限 APIs。在 IAM Identity Center 中配置客户自主管理型密钥之前,请验证这些权限是否也允许使用 KMS 密钥。有关特定的 KMS 密钥权限要求,请参阅您部署的每个 Amazon 托管应用程序的文档。
Amazon 托管应用程序管理员需要的 IAM 政策声明:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
使用中的步骤 2:准备 KMS 密钥策略语句以下 KMS 密钥声明模板允许 Cont Amazon rol Tower 管理员使用 KMS 密钥。
-
在委托人元素中,指定用于访问 IAM 身份中心服务 APIs的 IAM 委托人。有关 IAM 主体的更多信息,请参阅《IAM 用户指南》中的指定主体。
-
这些政策声明允许 Cont Amazon rol Tower 管理员通过您的任何 IAM 身份中心实例使用 KMS 密钥。但是,Cont Amazon rol Tower 限制访问同一组织中 IAM 身份中心的 Amazon 组织实例。由于这一限制,如中所述,进一步将 KMS 密钥限制为特定的 IAM Identity Center 实例没有任何实际好处高级 KMS 密钥策略语句。
-
要帮助防止 IAM 角色名称在重新创建权限集时发生更改,请使用中自定义信任策略示例描述的方法。
KMS 密钥策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerExecution" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/AWSControlTowerExecution" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Amazon Control Tower 不支持委托管理,因此,您无需为其管理员配置 IAM 策略。
在中使用步骤 2:准备 KMS 密钥策略语句以下 KMS 密钥策略声明模板,允许 Amazon EC2 实例的单点登录 (SSO) 用户跨账户使用 KMS 密钥。
-
在 Principal 字段中指定用于访问 IAM Identity Center 的 IAM 主体。有关 IAM 主体的更多信息,请参阅《IAM 用户指南》中的指定主体。
-
此策略语句允许您的任何 IAM Identity Center 实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 高级 KMS 密钥策略语句。
-
为了有助于防止在重新创建权限集时 IAM 角色名称发生更改,请使用“自定义信任策略示例”中描述的方法。
KMS 密钥政策语句:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
使用中的步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略以下 IAM 策略声明模板允许 EC2 实例的 SSO 使用 KMS 密钥。
将 IAM 政策声明附加到 IAM 身份中心中用于允许 SSO 访问 Amazon EC2 实例的现有权限集。有关 IAM 策略示例,请参阅《Amazon Systems Manager 用户指南》中的远程桌面协议连接。
-
将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 在哪里可以找到所需的标识符。
权限集 IAM 策略:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
使用以下 KMS 密钥策略声明模板步骤 2:准备 KMS 密钥策略语句允许 Amazon Organizations 管理账户或委托管理账户中的自定义工作流程(例如客户托管的应用程序)使用 KMS 密钥。请注意,客户托管应用程序的 SAML 联合不需要 KMS 密钥权限。
-
在委托人元素中,指定用于访问 IAM 身份中心服务 APIs的 IAM 委托人。有关 IAM 主体的更多信息,请参阅《IAM 用户指南》中的指定主体。
-
这些策略语句允许您的工作流通过您的任何 IAM Identity Center 实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 高级 KMS 密钥策略语句。
-
要帮助防止 IAM 角色名称在重新创建权限集时发生更改,请使用中自定义信任策略示例描述的方法。
KMS 密钥策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
在 步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略 中使用以下 IAM 策略语句模板,允许与自定义工作流关联的 IAM 主体跨账户使用 KMS 密钥。将 IAM 策略语句添加到 IAM 主体。
-
将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 在哪里可以找到所需的标识符。
IAM 策略语句(仅跨账户使用时需要):
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
常见用例的 KMS 密钥策略声明示例
带有委派管理员和托 Amazon 管应用程序的 IAM 身份中心
本节包含 KMS 密钥策略声明示例,您可以将其用于具有委派管理员和托 Amazon 管应用程序的 IAM Identity Center 实例。
重要
KMS 密钥策略声明假设您的 IAM Identity Center 实例未用于任何其他需要 KMS 密钥权限的用例。要进行确认,您可以查看所有用例。另外,要确认您的 Amazon 托管应用程序是否需要其他配置,请参阅 某些 Amazon 托管应用程序中的其他配置
复制表格下方的 KMS 密钥策略声明并将其添加到您的 KMS 密钥策略中。此示例使用以下示例值:
-
111122223333-IAM 身份中心实例的账户 ID -
444455556666-委托管理账户 ID -
o-a1b2c3d4e5- Amazon 组织标识 -
arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*-根据权限集配置的 IAM 身份中心管理员的 IAM 角色的通配符模式。Admin这样的角色包含主区域的区域代码(本例中为 us-east-1)。 -
arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*-IAM Identity Center 委托管理员的 IAM 角色的通配符模式,该角色是根据权限集预置的。DelegatedAdmin这样的角色包含主区域的区域代码(本例中为 us-east-1)。
如果 IAM 角色不是从权限集生成的,则 IAM 角色将看起来像普通角色,例如arn:aws:iam::。111122223333:role/idcadmin
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] }, "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] }, "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", "kms:ViaService": "identitystore.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root" ] }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" ] } } }, { "Sid": "AllowIAMIdentityCenterToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "sso.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "AllowIdentityStoreToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "identitystore.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", "Effect": "Allow", "Principal": { "Service": [ "identitystore.amazonaws.com", "sso.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-a1b2c3d4e5" }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-a1b2c3d4e5" }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" }, "StringEquals": { "aws:SourceOrgID": "o-a1b2c3d4e5" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" }, "StringEquals": { "aws:SourceOrgID": "o-a1b2c3d4e5" } } } ] }