本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 基线 KMS 密钥和 IAM 策略语句
此处提供的基线 KMS 密钥和基于身份的策略可作为常见需求的基础。我们还建议您查看 [高级 KMS 密钥策略语句](advanced-kms-policy.md),其中提供更细粒度的访问控制,例如确保 KMS 密钥仅可由特定的 IAM Identity Center 实例或 Amazon 托管应用程序访问。在使用高级 KMS 密钥策略语句之前,请查看 [选择基线与高级 KMS 密钥策略语句的注意事项](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline)。
以下部分提供了每个使用案例的基线策略语句。展开与您的用例相匹配的部分,然后复制 KMS 密钥策略声明。然后,返回到[步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)。
## 用于 IAM Identity Center 的基线 KMS 密钥策略语句(必需)
在 [步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) 中使用以下 KMS 密钥策略语句模板,允许 IAM Identity Center、其关联的 Identity Store 和 IAM Identity Center 管理员使用 KMS 密钥。
+ 在管理员策略声明的委托人元素中,使用 “arn: aws: iam:: 111122223333: root” 的格式指定 IAM Identity Center 管理账户(即 Amazon 组织管理账户和委托管理账户)的账户委托人。 Amazon
+ 在 PrincipalArn 元素中,将示例 ARNs 替换为 IAM 身份中心管理员的 IAM 角色。
您可以指定下列之一:
+ 特定的 IAM 角色 ARN:
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_12345678"`
+ 通配符模式(推荐):
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_*"`
使用通配符(`*`)可以防止在权限集被删除和重新创建时丢失访问权限,因为 Identity Center 会为重新创建的权限集生成新的唯一标识符。有关实现示例,请参阅[自定义信任策略示例](referencingpermissionsets.md#custom-trust-policy-example)。
+ 在 SourceAccount 元素中,指定 IAM 身份中心账户 ID。
+ Identity Store 有自己的服务主体 `identitystore.amazonaws.com`,必须允许其使用 KMS 密钥。
+ 这些政策声明允许您在特定 Amazon 账户中的 IAM 身份中心实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 [高级 KMS 密钥策略语句](advanced-kms-policy.md)。每个 Amazon 账户只能有一个 IAM 身份中心实例。
KMS 密钥策略语句
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
}
]
}
```
在 [步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) 中使用以下 IAM 策略语句模板,允许 IAM Identity Center 管理员使用 KMS 密钥。
+ 将 `Resource` 元素中的示例密钥 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 [在哪里可以找到所需的标识符](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 这些 IAM 政策声明向 IAM 委托人授予 KMS 密钥访问权限,但不限制哪些 Amazon 服务可以发出请求。KMS 密钥策略通常提供这些服务限制。但是,您可以向此 IAM 策略添加加密上下文,以限制对特定 Identity Center 实例的使用。有关详细信息,请参阅[高级 KMS 密钥策略语句](advanced-kms-policy.md)。
IAM Identity Center 委托管理员所需的 IAM 策略语句
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases",
"Effect": "Allow",
"Action": "kms:ListAliases",
"Resource": "*"
}
]
}
```
## 用于 Amazon 托管应用程序的基准 KMS 密钥和 IAM 策略声明
**注意**
某些 Amazon 托管应用程序不能与配置了客户托管 KMS 密钥的 IAM 身份中心一起使用。更多信息,请参阅[可与 IAM Identity Center 配合使用的Amazon 托管应用程序](https://docs.amazonaws.cn/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html)。
使用以下 KMS 密钥策略声明模板[步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)允许 Amazon 托管应用程序及其管理员使用 KMS 密钥。
+ 在 Amazon Organizations 身份证和 SourceOrgId 条件中插入您的 PrincipalOrg身份证。有关查找引用标识符值的帮助,请参阅 [在哪里可以找到所需的标识符](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 这些政策声明允许您的任何 Amazon 托管应用程序和 Amazon 组织中的任何 IAM 委托人(应用程序管理员)通过 IAM Identity Center 和 Identity kms: Store 使用 Decrypt。要将这些策略语句限制为特定的 Amazon 托管应用程序、账户或 IAM Identity Center 实例,请参阅 [高级 KMS 密钥策略语句](advanced-kms-policy.md)。
您可以通过将 ` *` 替换为特定的 IAM 主体来限制对特定应用程序管理员的访问。为防止在重新创建权限集时 IAM 角色名称发生更改,请使用 [自定义信任策略示例](referencingpermissionsets.md#custom-trust-policy-example) 中的方法。有关更多信息,请参阅 [选择基线与高级 KMS 密钥策略语句的注意事项](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline)。
KMS 密钥策略语句
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```
在 [步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) 中使用以下 IAM 策略语句模板,允许 Amazon 托管应用程序的管理员从成员账户使用 KMS 密钥。
+ 将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 [在哪里可以找到所需的标识符](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 某些 Amazon 托管应用程序要求您为 IAM 身份中心服务配置权限 APIs。在 IAM Identity Center 中配置客户自主管理型密钥之前,请验证这些权限是否也允许使用 KMS 密钥。有关特定的 KMS 密钥权限要求,请参阅您部署的每个 Amazon 托管应用程序的文档。
Amazon 托管应用程序管理员需要的 IAM 政策声明:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 供使用的基准 KMS 密钥声明 Amazon Control Tower
使用中的[步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)以下 KMS 密钥声明模板允许 Cont Amazon rol Tower 管理员使用 KMS 密钥。
+ 在委托人元素中,指定用于访问 IAM 身份中心服务 APIs的 IAM 委托人。有关 IAM 主体的更多信息,请参阅《*IAM 用户指南*》中的[指定主体](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 这些政策声明允许 Cont Amazon rol Tower 管理员通过您的任何 IAM 身份中心实例使用 KMS 密钥。但是,Cont Amazon rol Tower 限制访问同一组织中 IAM 身份中心的 Amazon 组织实例。由于这一限制,如中所述,进一步将 KMS 密钥限制为特定的 IAM Identity Center 实例没有任何实际好处[高级 KMS 密钥策略语句](advanced-kms-policy.md)。
+ 要帮助防止 IAM 角色名称在重新创建权限集时发生更改,请使用中[自定义信任策略示例](referencingpermissionsets.md#custom-trust-policy-example)描述的方法。
KMS 密钥策略语句:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
Amazon Control Tower 不支持委托管理,因此,您无需为其管理员配置 IAM 策略。
**重要**
前面的政策声明涵盖了 Amazon Control Tower 服务管理的操作,例如自动注册账户,其中 Amazon Control Tower 扮`AWSControlTowerAdmin`演该角色。但是,对于客户发起的操作,例如通过 Account Factory 配置账户或 Amazon Control Tower APIs直接致电,则 Amazon Control Tower 使用[前向访问会话 (FAS)](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_forward_access_sessions.html),并在客户自己的 IAM 角色下运行。这意味着您用于启动这些操作的 IAM 角色还需要客户托管的 KMS 密钥的`kms:Decrypt`权限。
在上述声明旁边添加以下 KMS 密钥策略`AWSControlTowerAdmin`声明。替换为您用于*MyControlTowerRole*与之交互的 IAM 角色的 ARN Amazon Control Tower,例如 IAM Identity Center 权限集角色(例如`AWSReservedSSO_PermissionSetName_*`)、用于自动化的自定义 IAM 角色或用于调 Amazon Control Tower 用或的任何其他角色。 Amazon Service Catalog APIs
针对客户发起的 Amazon Control Tower 操作的 KMS 密钥政策声明:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityCenterForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityStoreForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
## 基准 KMS 密钥和 IAM 策略声明,用于对 Amazon EC2 实例使用 IAM 身份中心
在中使用[步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)以下 KMS 密钥策略声明模板,允许 Amazon EC2 实例的单点登录 (SSO) 用户跨账户使用 KMS 密钥。
+ 在 Principal 字段中指定用于访问 IAM Identity Center 的 IAM 主体。有关 IAM 主体的更多信息,请参阅《*IAM 用户指南*》中的[指定主体](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 此策略语句允许您的任何 IAM Identity Center 实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 [高级 KMS 密钥策略语句](advanced-kms-policy.md)。
+ 为了有助于防止在重新创建权限集时 IAM 角色名称发生更改,请使用“自定义信任策略示例”中描述的方法。
KMS 密钥政策语句:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
使用中的[步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key)以下 IAM 策略声明模板允许 EC2 实例的 SSO 使用 KMS 密钥。
将 IAM 政策声明附加到 IAM 身份中心中用于允许 SSO 访问 Amazon EC2 实例的现有权限集。有关 IAM 策略示例,请参阅《*Amazon Systems Manager 用户指南*》中的[远程桌面协议连接](https://docs.amazonaws.cn/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html#rdp-iam-policy-examples)。
+ 将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 [在哪里可以找到所需的标识符](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
权限集 IAM 策略:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 用于与 IAM Identity Center 配合使用的自定义工作流的基线 KMS 密钥和 IAM 策略语句
使用以下 KMS 密钥策略声明模板[步骤 2:准备 KMS 密钥策略语句](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)允许 Amazon Organizations 管理账户或委托管理账户中的自定义工作流程(例如客户托管的应用程序)使用 KMS 密钥。请注意,客户托管应用程序的 SAML 联合不需要 KMS 密钥权限。
+ 在委托人元素中,指定用于访问 IAM 身份中心服务 APIs的 IAM 委托人。有关 IAM 主体的更多信息,请参阅《*IAM 用户指南*》中的[指定主体](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 这些策略语句允许您的工作流通过您的任何 IAM Identity Center 实例使用 KMS 密钥。要限制对特定 IAM Identity Center 实例的访问,请参阅 [高级 KMS 密钥策略语句](advanced-kms-policy.md)。
+ 要帮助防止 IAM 角色名称在重新创建权限集时发生更改,请使用中[自定义信任策略示例](referencingpermissionsets.md#custom-trust-policy-example)描述的方法。
KMS 密钥策略语句:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
在 [步骤 4:为 KMS 密钥的跨账户使用配置 IAM 策略](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) 中使用以下 IAM 策略语句模板,允许与自定义工作流关联的 IAM 主体跨账户使用 KMS 密钥。将 IAM 策略语句添加到 IAM 主体。
+ 将 Resource 元素中的示例 ARN 替换为您的实际 KMS 密钥 ARN。有关查找引用标识符值的帮助,请参阅 [在哪里可以找到所需的标识符](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
IAM 策略语句(仅跨账户使用时需要):
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 常见用例的 KMS 密钥策略声明示例
### 带有委派管理员和托 Amazon 管应用程序的 IAM 身份中心
本节包含 KMS 密钥策略声明示例,您可以将其用于具有委派管理员和托 Amazon 管应用程序的 IAM Identity Center 实例。
**重要**
KMS 密钥策略声明假设您的 IAM Identity Center 实例未用于任何其他需要 KMS 密钥权限的用例。要进行确认,您可以查看所有[用例](identity-center-customer-managed-keys.md#identify-use-cases)。另外,要确认您的 Amazon 托管应用程序是否需要其他配置,请参阅 [某些 Amazon 托管应用程序中的其他配置](identity-center-customer-managed-keys.md#additional-config-in-some-aws-apps)
复制表格下方的 KMS 密钥策略声明并将其添加到您的 KMS 密钥策略中。此示例使用以下示例值:
+ `111122223333`-IAM 身份中心实例的账户 ID
+ `444455556666`-委托管理账户 ID
+ `o-a1b2c3d4e5`- Amazon 组织标识
+ ` arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*`-根据权限集配置的 IAM 身份中心管理员的 IAM 角色的通配符模式。*Admin*这样的角色包含主区域的区域代码(本例中为 us-east-1)。
+ ` arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*`-IAM Identity Center 委托管理员的 IAM 角色的通配符模式,该角色是根据权限集预置的。*DelegatedAdmin*这样的角色包含主区域的区域代码(本例中为 us-east-1)。
如果 IAM 角色不是从权限集生成的,则 IAM 角色将看起来像普通角色,例如`arn:aws:iam::111122223333:role/idcadmin`。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```