本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
在 CloudTrail 控制台中创建的默认 KMS 密钥策略
如果您在 CloudTrail 控制台 AWS KMS key 中创建,则会自动为您创建以下策略。该策略允许以下权限:
-
允许 KMS 密钥的 AWS 账户 (根)权限。
-
CloudTrail 允许对 KMS 密钥下的日志文件和摘要文件进行加密,并描述 KMS 密钥。
-
允许指定账户中的所有用户解密日志文件和摘要文件。
-
允许指定账户中的所有用户为 KMS 密钥创建 KMS 别名。
-
为创建跟踪的账户的账户 ID 启用跨账户日志解密。
用于跟踪的默认 KMS 密钥策略
以下是为您在跟踪中使用的创建的默认策略。 AWS KMS key
该策略包括一项声明,允许跨账户使用 KMS 密钥解密日志文件和摘要文件。
- JSON
-
-
{
"Version": "2012-10-17",
"Id": "Key policy created by CloudTrail",
"Statement": [
{
"Sid": "Enable IAM user permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::111111111111:user/username"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-name"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
}
}
},
{
"Sid": "Allow CloudTrail to describe key",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow principals in the account to decrypt log files",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "111111111111"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
}
}
},
{
"Sid": "Enable cross account log decryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "111111111111"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
}
}
}
]
}
CloudTrail Lake 事件数据存储的默认 KMS 密钥策略
以下是为您在 La CloudTrail k AWS KMS key e 中的事件数据存储中使用的默认策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Id": "Key policy created by CloudTrail",
"Statement": [
{
"Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "Enable IAM user permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable user to have permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:sts::111111111111:assumed-role/example-role-name"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}
