Amazon web services 使用AWS系统会话管理器加密的CloudWatch日志组的KMS权限
我已经设置了一个CMK(自定义托管密钥)来使用AWS系统会话管理器加密日志组:Amazon web services 使用AWS系统会话管理器加密的CloudWatch日志组的KMS权限,amazon-web-services,aws-kms,aws-ssm,Amazon Web Services,Aws Kms,Aws Ssm,我已经设置了一个CMK(自定义托管密钥)来使用AWS系统会话管理器加密日志组: 首先,在KMS控制台中添加“关键管理员”和“关键用户/角色”的权限 接下来,在AWS Systems Manager会话管理器首选项中将CMK附加到日志组,如下图所示: 错误: 指定的KMS密钥不存在或不允许与日志组“arn:aws:logs:my\u region:my\u account\u id:log group:/SSM”一起使用 密钥必须存在,因为它用于加密会话,只是没有正确解密日志组,但它链接到日
密钥必须存在,因为它用于加密会话,只是没有正确解密日志组,但它链接到日志组,并且用户有权限。有什么好处?我试图复制你的问题 我的会话管理器设置: CloudWatch日志组已使用CLI进行加密
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
启动会话管理器后,我可以确认它已加密:
基于此验证,唯一需要使其工作的是设置KMS密钥策略。我在KMS中添加了以下内容(SSMRole
is instance role,其他条目应为自我解释):
非常成功,马辛。感谢您的详细解释,帮助我更好地理解策略用法。@永远学习和编码没有问题。通过遵循“最低特权”标准,这些政策可能会变得更好,但这是未来修改的良好开端。
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}