这是完整的场景。我的用例需要启用 SSE 的 SNS 和 SQS。我们使用存储在中央安全管理的 KMS 帐户中的 BYOK KMS 密钥。SNS 主题和 SQS 都从同一个应用程序帐户访问密钥。该策略具有以下内容以允许访问(注意:这不是完整策略,只是相关的跨帐户和 SNS/SQS 内容):
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::112233445566:role/XYZ",
"arn:aws:iam::778899110022:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow Amazon SNS to use this key",
"Effect": "Allow",
"Principal": {
"Service": [
"sns.amazonaws.com",
"sqs.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
]
}
无论我尝试什么,当我尝试读取消息时,SQS 都会出现以下错误:
"{\"ErrorCode\":\"KMS.AccessDeniedException\",\"ErrorMessage\":\"null (服务:AWSKMS;状态代码:400;错误代码:AccessDeniedException;请求 ID:blahblahblah)\",\"sqsRequestId\":\"Unrecoverable\"}"
综上所述...当我在 KMS 帐户中创建自己的密钥并使用该密钥时,我成功了。不幸的是,我们的安全策略要求使用他们的 KMS 密钥。非常感谢任何见解。
答案1
将以下策略添加到KMS:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "222222222222",
"kms:ViaService": "sns.us-east-2.amazonaws.com"
}
}
}