ablog

不器用で落着きのない技術者のメモ

VPCE Policy Of The Year

AWS

なるほどーと思ったのでメモ。ちゃむれおさん(c)。

# S3の暗号化方式 クロスアカウントアクセス VPCEポリシーによる制御
1 SSE-S3 (AES-256) X
2 SSE-KMS AWS/S3 X
3 SSE-KMS AWS/Custom
  • VPCエンドポイントポリシー
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": [
                        "arn:aws:kms:ap-northeast-1:123456789012:key/*",
                        "arn:aws:kms:ap-northeast-1:234567890123:key/*"
                    ]
                }
            }
        }
    ]
}
  • クロスアカウントアクセスを許可する KMS キーポリシー
{
    "Version": "2012-10-17",
    "Id": "test key policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::234567890123:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}