创建时出现 MalformedPolicyDocumentException AWS::KSM::Key
MalformedPolicyDocumentException when creating AWS::KSM::Key
我正在尝试创建一个 KSM 密钥以在 S3 服务中使用它,但我收到 MalformedPolicyDocument 异常。这是资源:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Condition" : "EnableEncryption",
"Properties" : {
"Description" : "Client Master Key used to encrypt data",
"Enabled" : true,
"EnableKeyRotation" : true,
"KeyPolicy" :
{
"Version": "2012-10-17",
"Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement":
[{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS":
[
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.eu-west-1.amazonaws.com"
}
}
}]
}
}
},
不知道哪里出错了,对我来说还好。有什么想法吗?
::EDIT::
此代码给出相同的错误:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "A sample key",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
}
},
定义的委托人未评估为 Arns。
第一位校长的评估结果为:
"AWS": "arn:aws:iam::11111111moimeco"
用户的有效 ARN 如下所示:
"arn:aws:iam::1111111:user/username"
此外,您需要将 root 用户包含在您的主体中。
否则,AWS 根本不会让您创建密钥。这背后的原因描述如下:
AWS Key policies 在 "Allows Access to the AWS Account and Enables IAM Policies"
下
我正在尝试创建一个 KSM 密钥以在 S3 服务中使用它,但我收到 MalformedPolicyDocument 异常。这是资源:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Condition" : "EnableEncryption",
"Properties" : {
"Description" : "Client Master Key used to encrypt data",
"Enabled" : true,
"EnableKeyRotation" : true,
"KeyPolicy" :
{
"Version": "2012-10-17",
"Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement":
[{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS":
[
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.eu-west-1.amazonaws.com"
}
}
}]
}
}
},
不知道哪里出错了,对我来说还好。有什么想法吗?
::EDIT::
此代码给出相同的错误:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "A sample key",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
}
},
定义的委托人未评估为 Arns。
第一位校长的评估结果为:
"AWS": "arn:aws:iam::11111111moimeco"
用户的有效 ARN 如下所示:
"arn:aws:iam::1111111:user/username"
此外,您需要将 root 用户包含在您的主体中。
否则,AWS 根本不会让您创建密钥。这背后的原因描述如下:
AWS Key policies 在 "Allows Access to the AWS Account and Enables IAM Policies"
下