Amazon web services 由于访问被拒绝，ECS容器无法使用AWS KMS密钥

初始状态： 我想在ECS容器中使用KMS密钥解密值。为此，任务定义有执行角色学习，它引用了以下角色RoleECSTaskContainer。角色和KMS键的设置如下所示：

    KMSKeyEncryption:
        Type: AWS::KMS::Key
        Properties:
          Enabled: true
          EnableKeyRotation: false
          KeyPolicy:
            Version: 2012-10-17
            Statement:
              - Principal:           
                  AWS:arn of the users/roles who are allowed to manage this key
                Effect: Allow
                Action:
                  - kms:Create*
                  - kms:Describe*
                  - kms:Enable*
                  - kms:List*
                  - kms:Put*
                  - kms:Update*
                  - kms:Revoke*
                  - kms:Disable*
                  - kms:Get*
                  - kms:Delete*
                  - kms:ScheduleKeyDeletion
                  - kms:CancelKeyDeletion
                  - kms:Encrypt*
                  - kms:Decrypt*
                Resource: "*"
              - Principal:
                  AWS: ecs-tasks.amazonaws.com
                Effect: Allow
                Action:
                  - kms:Decrypt*
                Resource: "*"
      PolicyDecryptKms:
        Type: AWS::IAM::ManagedPolicy
        Properties:
          ManagedPolicyName: DecryptKmsPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowDecryptValues
                Effect: Allow
                Action:
                  - kms:Decrypt*
                Resource: !GetAtt KMSKeyEncryption.Arn
      RoleECSTaskContainer:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: 2008-10-17
            Statement:
              - Effect: Allow
                Principal:
                  Service: ecs-tasks.amazonaws.com
                Action: sts:AssumeRole
          RoleName: ECSTaskContainerRole
          ManagedPolicyArns:
            - !Ref PolicyDecryptKms

Principal: "*"
Effect: Allow
Action:
  - kms:Decrypt*
Resource: "*"

当容器尝试使用KMS密钥解密值时，会出现以下异常：

User: arn:aws:sts::123123123:assumed-role/ECSTaskContainerRole/bc9a5782-9sf8-312a-8z76-0ef29a6e5631 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-west-1:123123123:key/8c9h2f44-bjvb-4l2d-fkj11-fjdahjEr564182

经过一些调查，我发现如果我稍微更改一下密钥策略以允许所有主体按如下方式解密，它就会开始工作：

    KMSKeyEncryption:
        Type: AWS::KMS::Key
        Properties:
          Enabled: true
          EnableKeyRotation: false
          KeyPolicy:
            Version: 2012-10-17
            Statement:
              - Principal:           
                  AWS:arn of the users/roles who are allowed to manage this key
                Effect: Allow
                Action:
                  - kms:Create*
                  - kms:Describe*
                  - kms:Enable*
                  - kms:List*
                  - kms:Put*
                  - kms:Update*
                  - kms:Revoke*
                  - kms:Disable*
                  - kms:Get*
                  - kms:Delete*
                  - kms:ScheduleKeyDeletion
                  - kms:CancelKeyDeletion
                  - kms:Encrypt*
                  - kms:Decrypt*
                Resource: "*"
              - Principal:
                  AWS: ecs-tasks.amazonaws.com
                Effect: Allow
                Action:
                  - kms:Decrypt*
                Resource: "*"
      PolicyDecryptKms:
        Type: AWS::IAM::ManagedPolicy
        Properties:
          ManagedPolicyName: DecryptKmsPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowDecryptValues
                Effect: Allow
                Action:
                  - kms:Decrypt*
                Resource: !GetAtt KMSKeyEncryption.Arn
      RoleECSTaskContainer:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: 2008-10-17
            Statement:
              - Effect: Allow
                Principal:
                  Service: ecs-tasks.amazonaws.com
                Action: sts:AssumeRole
          RoleName: ECSTaskContainerRole
          ManagedPolicyArns:
            - !Ref PolicyDecryptKms

Principal: "*"
Effect: Allow
Action:
  - kms:Decrypt*
Resource: "*"

但这不是定义密钥策略的安全方法，因为我允许每个人使用这个KMS密钥解密值

---

我假设我使用ecs tasks.amazonaws.com作为主体是错误的。这是正确的吗？如果是，在这种情况下我应该使用哪种服务？

有两种方法可以控制对KMS密钥的访问：

通过使用密钥策略，可以在单个策略中定义访问控制

通过结合使用IAM策略和密钥策略控制访问，这种方式使您能够管理IAM中IAM标识的所有权限 您可以单独使用密钥策略来控制访问。但是，IAM策略本身不足以允许访问CMK。您必须授予AWS帐户对CMK的完全访问权限才能启用IAM策略

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
  "Action": "kms:*",
  "Resource": "*"
}

因此，这取决于您希望如何管理您的策略。为了简单起见，我通常更喜欢KMS关键策略。因此，我只需将密钥策略设置为授予角色kms:decrypt权限，并删除托管IAM策略

KMSKeyEncryption:
  Type: AWS::KMS::Key
  Properties:
    KeyPolicy:
      Version: 2012-10-17
      Statement:
      ...
         - Principal:
             AWS: !GetAtt RoleECSTaskContainer.Arn
           Effect: Allow
           Action:
             - kms:Decrypt*
           Resource: "*"

RoleECSTaskContainer:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: 2008-10-17
      Statement:
        - Effect: Allow
          Principal:
            Service: ecs-tasks.amazonaws.com
          Action: sts:AssumeRole
    RoleName: ECSTaskContainerRole

---

那么请把他的答案标为“正确”答案