使用 KMS 加密时,哪种 IAM 策略适合 gitlab S3 存储桶?

使用 KMS 加密时,哪种 IAM 策略适合 gitlab S3 存储桶?

我正在使用 S3 存储后端设置 GitLab,并希望使用 KMS 加密存储桶。我想避免广泛授予权限。我正在使用 terraform 来配置这些资源。

我该如何为此制定一个好的政策?

答案1

此策略假设您的存储桶位于一组aws_s3_bucket名为 的资源中gitlab_buckets,而您用于加密这些存储桶的密钥位于 中aws_kms_key.gitlab_buckets。如果满足这些要求,则此策略应可行。

data "aws_iam_policy_document" "gitlab_s3" {
  statement {
    sid = "3"

    actions = [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:ReEncryptTo",
        "kms:DescribeKey",
        "kms:ReEncryptFrom"
    ]

    resources = [
      aws_kms_key.gitlab_buckets.arn
    ]
  }

  statement {
    sid = "1"

    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject",
      "s3:PutObjectACL"
    ]

    resources = [
      for bucket in aws_s3_bucket.gitlab_buckets:
      "${bucket.arn}/*"
    ]
  }

  statement {
    sid = "2"

    actions = [
      "s3:ListBucket",
      "s3:AbortMultipartUpload",
      "s3:ListMultipartUploadParts",
      "s3:ListBucketMultipartUploads"
    ]

    resources = [
      for bucket in aws_s3_bucket.gitlab_buckets:
      bucket.arn
    ]
  }

}

相关内容