AWS KMS权限 - AWS Key Management Service

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS KMS权限

权限表AWS KMS列出了每个 操作的权限,以便您可以在AWS KMS密钥策略策略中正确使用它们。IAM

重要

在授予委托人创建和管理策略的权限以及授予 客户主密钥 (CMKs) 访问权限的权限时,请务必谨慎。有权管理标签和别名的委托人还可以控制对 CMK 的访问。有关详细信息,请参阅 将 ABAC 用于 AWS KMS

注意

您可能需要水平和垂直滚动才能看到此表中的所有数据。

操作和权限 策略类型 资源(适用于 IAM 策略) AWS KMS 条件键

CancelKeyDeletion

kms:CancelKeyDeletion

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

IAM 策略

*

kms:CallerAccount

CreateAlias

kms:CreateAlias

要使用此操作,调用方需要对以下两个资源具有 kms:CreateAlias 权限:

  • 别名(在 IAM 策略中)

  • (在密钥策略中)CMK

有关详细信息,请参阅 控制对别名的访问

IAM 策略(适用于别名)

别名

无(控制对别名的访问时)

密钥策略(适用于 CMK)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

CreateCustomKeyStore

kms:CreateCustomKeyStore

IAM 策略

*

kms:CallerAccount

CreateGrant

kms:CreateGrant

密钥策略

CMK

加密上下文条件:

kms:EncryptionContext:

kms:EncryptionContextKeys

授权条件:

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

CreateKey

kms:CreateKey

IAM 策略

*

kms:BypassPolicyLockoutSafetyCheck

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

aws:RequestTag(AWS 全局条件键)

Decrypt

kms:Decrypt

密钥策略

CMK

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

DeleteAlias

kms:DeleteAlias

要使用此操作,调用方需要对以下两个资源具有 kms:DeleteAlias 权限:

  • 别名(在 IAM 策略中)

  • (在密钥策略中)CMK

有关详细信息,请参阅 控制对别名的访问

IAM 策略(适用于别名)

别名

无(控制对别名的访问时)

密钥策略(适用于 CMK)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

IAM 策略

*

kms:CallerAccount

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

IAM 策略

*

kms:CallerAccount

DescribeKey

kms:DescribeKey

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:RequestAlias

DisableKey

kms:DisableKey

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

IAM 策略

*

kms:CallerAccount

EnableKey

kms:EnableKey

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

密钥策略

CMK(仅限对称)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

Encrypt

kms:Encrypt

密钥策略

CMK

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

密钥策略

CMK(仅限对称)

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GenerateDataKeyPair

kms:GenerateDataKeyPair

密钥策略

CMK(仅限对称)

GenerateDataKeyPairGenerateDataKeyPairWithoutPlaintext 生成受对称 CMK 保护的非对称数据密钥对。

数据密钥对的条件:

kms:DataKeyPairSpec

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

密钥策略

CMK(仅限对称)

GenerateDataKeyPairGenerateDataKeyPairWithoutPlaintext 生成受对称 CMK 保护的非对称数据密钥对。

数据密钥对的条件:

kms:DataKeyPairSpec

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

密钥策略

CMK(仅限对称)

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM 策略

*

GetKeyPolicy

kms:GetKeyPolicy

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

密钥策略

CMK(仅限对称)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

密钥策略

CMK(仅限对称)

kms:WrappingAlgorithm

kms:WrappingKeySpec

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

GetPublicKey

kms:GetPublicKey

密钥策略

CMK(仅限非对称)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:RequestAlias

ImportKeyMaterial

kms:ImportKeyMaterial

密钥策略

CMK(仅限对称)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:ExpirationModel

kms:ValidTo

ListAliases

kms:ListAliases

IAM 策略

*

ListGrants

kms:ListGrants

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:GrantIsForAWSResource

ListKeyPolicies

kms:ListKeyPolicies

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

ListKeys

kms:ListKeys

IAM 策略

*

ListResourceTags

kms:ListResourceTags

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM 策略

*

PutKeyPolicy

kms:PutKeyPolicy

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:BypassPolicyLockoutSafetyCheck

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

要使用此操作,调用方需要对两个 CMKs 具有权限:

  • kms:ReEncryptFrom 上的CMK用于解密

  • 用于加密 kms:ReEncryptTo 上的CMK

密钥策略

CMK

加密操作的条件

kms:RequestAlias

加密上下文条件:

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:ReEncryptOnSameKey

RetireGrant

kms:RetireGrant

停用授权的权限主要由授权确定。策略本身不能允许对此操作的访问。有关更多信息,请参阅停用和撤销授权

密钥策略

CMK

kms:资源别名

aws:ResourceTag(AWS 全局条件键)

RevokeGrant

kms:RevokeGrant

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

其他条件:

kms:GrantIsForAWSResource

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

Sign

kms:Sign

密钥策略

CMK(仅限非对称)

签名和验证的条件:

kms:MessageType

kms:SigningAlgorithm

加密操作的条件

kms:RequestAlias

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

TagResource

kms:TagResource

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

标记条件:

aws:RequestTag(AWS 全局条件键)

aws:TagKeys(AWS 全局条件键)

UntagResource

kms:UntagResource

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

标记条件:

aws:RequestTag(AWS 全局条件键)

aws:TagKeys(AWS 全局条件键)

UpdateAlias

kms:UpdateAlias

要使用此操作,调用方需要对以下三个资源具有 kms:UpdateAlias 权限:

  • 别名

  • 当前关联的CMK

  • 新关联的CMK

有关详细信息,请参阅 控制对别名的访问

IAM 策略(适用于别名)

别名

无(控制对别名的访问时)

密钥策略(适用于 CMKs)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

IAM 策略

*

kms:CallerAccount

UpdateKeyDescription

kms:UpdateKeyDescription

密钥策略

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

验证

kms:Verify

密钥策略

CMK(仅限非对称)

签名和验证的条件:

kms:MessageType

kms:SigningAlgorithm

加密操作的条件

kms:RequestAlias

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag (AWS global condition key)

kms:ViaService

此表中的列提供以下信息:

  • 操作和权限列出每个 AWS KMS API 操作以及允许该操作的权限。您可以在策略语句的 Action 元素中指定操作。

  • 策略类型指示权限是否可在密钥策略或 IAM 策略中使用。

    密钥策略 意味着您可以在密钥策略中指定权限。当密钥策略包含启用 IAM 策略的策略语句时,您可以在 IAM 策略中指定权限。

    IAM 策略表示您只能在 IAM 策略中指定权限。

  • 资源列出了权限应用于的 AWS KMS 资源。AWS KMS 支持两种资源类型:客户主密钥 (CMK) 和别名。在密钥策略中,Resource 元素的值始终为 *,这表示密钥策略附加到的 CMK。

    使用以下值表示 IAM 策略中的 AWS KMS 资源。

    CMK

    当资源是 客户主密钥 (CMK) 时,请使用其密钥 ARN。有关帮助信息,请参阅查找密钥 ID 和 ARN

    arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

    例如:

    arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    别名

    当资源是别名时,请使用其别名 ARN。有关帮助信息,请参阅查找别名和别名 ARN

    arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

    例如:

    arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

    *(星号)

    当权限不适用于特定资源(CMK 或别名)时,请使用星号 (*)。

    在 AWS KMS 权限的 IAM 策略中,Resource 元素中的星号表示所有 AWS KMS 资源(CMKs 和别名)。当 Resource 权限不适用于任何特定的 AWS KMS 或别名时,您也可以在 CMKs 元素中使用星号。例如,当允许或拒绝 kms:CreateKeykms:ListKeys 权限时,您可以将 Resource 元素设置为 *,也可以设置为账户特定的变体,例如 arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*

  • AWS KMS 条件键列出可用于限制权限的 AWS KMS 条件键。您可以在策略的 Condition 元素中指定条件。此列还包含 AWS 全局条件上下文键,这些键受 AWS KMS 支持但并不受所有 AWS 服务支持。