本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
在 CloudTrail 主控台中建立的預設金鑰政策
如果您在 CloudTrail 主控台 AWS KMS key 中建立 ,系統會自動為您建立下列政策。此政策允許這些許可:
-
KMS 金鑰的 Allow AWS 帳戶 (root) 許可。
-
允許 CloudTrail 在 KMS 金鑰下加密日誌檔案和摘要檔案,並描述 KMS 金鑰。
-
允許指定帳戶中的所有使用者解密日誌檔案和摘要檔案。
-
允許指定帳戶中的所有使用者建立 KMS 金鑰的 KMS 別名。
-
已建立追蹤的帳戶能夠用於帳戶 ID 跨帳戶日誌解密。
適用於追蹤的預設 KMS 金鑰政策
以下是針對您搭配線索使用的 AWS KMS key 所建立的預設政策。
此政策包含允許跨帳戶使用 KMS 金鑰解密日誌檔案和摘要檔案的陳述式。
- JSON
-
-
{
"Version": "2012-10-17",
"Id": "Key policy created by CloudTrail",
"Statement": [
{
"Sid": "Enable IAM user permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111
:root",
"arn:aws:iam::111111111111
:user/username
"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:us-east-1
:111111111111
:trail/trail-name
"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111
:trail/*"
}
}
},
{
"Sid": "Allow CloudTrail to describe key",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow principals in the account to decrypt log files",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "111111111111
"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111
:trail/*"
}
}
},
{
"Sid": "Enable cross account log decryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "111111111111
"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111
:trail/*"
}
}
}
]
}
CloudTrail Lake 事件資料存放區的預設 KMS 金鑰政策
以下是 AWS KMS key 您用於 CloudTrail Lake 中事件資料存放區之 的預設政策。
- JSON
-
-
{
"Version": "2012-10-17",
"Id": "Key policy created by CloudTrail",
"Statement": [
{
"Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "Enable IAM user permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111
:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable user to have permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:sts::111111111111
:assumed-role/example-role-name
"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}