AWS KMS 的基于资源的策略示例 - AWS Database Migration Service
用于加密 Amazon Redshift 目标数据的自定义 AWS KMS 加密密钥的政策用于加密 Amazon S3 目标数据的自定义 AWS KMS 加密密钥的政策

AWS KMS 的基于资源的策略示例

AWS DMS 允许您创建自定义 AWS KMS 加密密钥来加密支持的目标端点数据。要了解如何创建密钥策略并将其附加到为支持的目标数据加密而创建的加密密钥,请参阅 创建 AWS KMS 密钥并使用该密钥对 Amazon Redshift 目标数据进行加密创建 AWS KMS 密钥以加密 Amazon S3 目标对象

用于加密 Amazon Redshift 目标数据的自定义 AWS KMS 加密密钥的政策

以下示例显示了为 AWS KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon Redshift 目标数据而创建的。

JSON
{
  "Id": "key-consolepolicy-3",
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/Admin"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon Redshift 目标端点数据。在该示例中,该角色为 DMS-Redshift-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-Redshift-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。此类用户还可以生成用于导出的数据密钥来加密 AWS KMS 外部的数据。还可以返回有关 AWS KMS 密钥的详细信息,例如,您刚刚创建的密钥。此外,此类用户还可以管理 AWS 资源的附件,如目标端点。

用于加密 Amazon S3 目标数据的自定义 AWS KMS 加密密钥的政策

以下示例显示了为 AWS KMS 加密密钥创建的密钥政策的 JSON,该加密密钥是为加密 Amazon S3 目标数据而创建的。

JSON
{
    "Id": "key-consolepolicy-3",
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::987654321098:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::987654321098:role/Admin"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon S3 目标端点数据。在该示例中,该角色为 DMS-S3-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-S3-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。此类用户还可以生成用于导出的数据密钥来加密 AWS KMS 外部的数据。还可以返回有关 AWS KMS 密钥的详细信息,例如,您刚刚创建的密钥。此外,此类用户还可以管理 AWS 资源的附件,如目标端点。