KMS で同一アカウント内からの暗号化/復号を許可したい場合、キーポリシーは Condition 句の StringEquals で kms:CallerAccount を指定すれば良い。
KMS でカスタマー管理型キーを作成
- 以下のキーポリシーを設定する。
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow access through S3 for all principals in the account that are authorized to use S3", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "123456789012" ★ } } } ] }
IAMポリシー: KmsPermissionTestPolicy を作成
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*", "kms:DescribeKey" ], "Resource": "*" } ] }
IAMロール: KmsPermissionTestRole を作成
- アクセス権限
- AmazonS3FullAccess
- KmsPermissionTestPolicy
- 信頼関係
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
テスト
- IAMロール "KmsPermissionTestRole" をアタッチした EC2 で S3 にファイルをアップロード/ダウンロードする。
$ aws s3 cp 100M.dat s3://kms-test/ upload: ./100M.dat to s3://kms-test/100M.dat $ aws s3 ls --human-readable s3://kms-test/100M.dat 2020-04-21 08:41:00 100.0 MiB 100M.dat $ aws s3 cp s3://kms-test/100M.dat 100M_DL.dat download: s3://kms-test/100M.dat to ./100M_DL.dat
- Kinesis Firehose をフォーマット変換する Lambda でも KmsPermissionTestPolicy をアタッチしたIAMロールで復号できることを確認できた。
追記(2020/6/28):さらに、特定のサービスからのみ許可する場合のサンプル
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Allow access through S3 for all principals in the account that are authorized to use S3", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "123456789012”, "kms:ViaService": "kinesis.ap-northeast-1.amazonaws.com" } } } ] }