使用由其他AWS账户拥有的CMK的Auto Scaling组中的加密EBS卷

问题描述 投票:0回答:2

我正在尝试使用AWS中的Auto Scaling组来创建和管理从具有加密快照的AMI创建的实例,这些快照已由其他AWS账户拥有的CMK加密。

我一直收到错误“Client.InternalError:启动时客户端错误”。根据https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-instancelaunchfailure.html#ts-as-instancelaunchfailure-12的场景2,我需要使用Auto Scaling组服务链接角色作为受让者主体为CMK创建一个授权。

我尝试遵循AWS文档和https://forums.aws.amazon.com/thread.jspa?threadID=277523中的准则来设置授权。

但是,我一直得到一个AccessDeniedException,说我的用户无权在CMK上执行kms:CreateGrant。

我觉得我完全按照说明操作,但它不起作用。我希望有人能够提供一些见解。

amazon-web-services autoscaling amazon-ebs aws-kms
2个回答
0
投票

我与一位遇到同样问题的AWS员工聊天,直到他重新阅读论坛帖子。案例2第4步中的关键行是“kms:不包括GrantIsForAWSResource条件,以允许帐户111122223333中的IAM用户或角色在下一步中创建授权。”

换句话说,您需要从客户管理的CMK的默认密钥策略中删除此条件。

这些说明可以使这个要求更加明确,但从技术上说它就在那里,它解决了这个问题。


0
投票

在阅读了您的有用信息后,我能够解决它,所以我决定将我的发现发布给其他人。

以下是我允许“SharedAccountId”访问和使用来自“dev”帐户的自定义KMS密钥(CMK)的操作。

对于此示例,假设“dev”帐户位于us-west-2中,“SharedAccount”位于us-east-1中。

用于创建密钥的Cloudformation:

注意:在“Dev”帐户中启动此cloudformation堆栈,在此示例中,该帐户位于us-west-2中

{
"Description": "Creates a KMS key used to encrypt snapshots and allows sharing with another account.",
"Outputs": {
    "AMIKeyIdOutput": {
        "Description": "The KMS Key id used to encrypted snapshots.",
        "Export": {
            "Name": {
                "Fn::Sub": "${AWS::StackName}-kmskeyid"
            }
        },
        "Value": {
            "Ref": "AMIKmsKey"
        }
    },
    "AMIKmsAliasOutput": {
        "Description": "The KMS key alias used to encrypted snapshots.",
        "Export": {
            "Name": {
                "Fn::Sub": "${AWS::StackName}-kmsalias"
            }
        },
        "Value": {
            "Ref": "AMIKmsAlias"
        }
    }
},
"Parameters": {
    "SharedAccountId": {
        "AllowedPattern": "^(?!\\s*$).+",
        "ConstraintDescription": "You must supply a account id you want to share with.",
        "Description": "The account id you want to share this key with.",
        "Type": "String"
    }
},
"Resources": {
    "AMIKmsAlias": {
        "Properties": {
            "AliasName": {
                "Fn::Sub": "alias/amiencryptionkey"
            },
            "TargetKeyId": {
                "Ref": "AMIKmsKey"
            }
        },
        "Type": "AWS::KMS::Alias"
    },
    "AMIKmsKey": {
        "Properties": {
            "Description": "AMI encryption key.",
            "EnableKeyRotation": "true",
            "Enabled": "true",
            "KeyPolicy": {
                "Statement": [
                    {
                        "Action": [
                            "kms:*"
                        ],
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": {
                                "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
                            }
                        },
                        "Resource": [
                            "*"
                        ],
                        "Sid": "Allow access for Key Administrators"
                    },
                    {
                        "Action": [
                            "kms:Decrypt",
                            "kms:Encrypt",
                            "kms:DescribeKey",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey*"
                        ],
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                {
                                    "Fn::Join": [
                                        "",
                                        [
                                            "arn:aws:iam::",
                                            {"Ref":"SharedAccountId"},
                                            ":root"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Join": [
                                        "",
                                        [
                                            "arn:aws:iam::",
                                            {"Ref":"SharedAccountId"},
                                            ":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                                }
                            ]
                        },
                        "Resource": [
                            "*"
                        ],
                        "Sid": "Allow use of the key"
                    },
                    {
                        "Action": [
                            "kms:CreateGrant",
                            "kms:ListGrants",
                            "kms:RevokeGrant"
                        ],
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                {
                                    "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
                                },
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws:iam:",
                                            {"Ref":"SharedAccountId"},
                                            "root"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Join": [
                                        "",
                                        [
                                            "arn:aws:iam::",
                                            {"Ref":"SharedAccountId"},
                                            ":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                                }
                            ]
                        },
                        "Resource": [
                            "*"
                        ],
                        "Sid": "Allow attachment of persistent resources."
                    }
                ],
                "Version": "2012-10-17"
            }
        },
        "Type": "AWS::KMS::Key"
    }
}
}

另外需要注意的是,有些主要内容并不需要,但它应该足以让你入门。在设置kms键之后,就像上面的逻辑一样,你必须运行以下cli命令:

注意:在此示例中 * usA-east-1中的SharedAccountId * KMS Key位于us-west-2的“Dev”帐户中

aws kms create-grant \
--region us-east-1 \
--profile SharedAccountProfile \
--key-id arn:aws:kms:us-west-2:<DevAccountId>:key/<KMS_KEY_ID From above CF template> \
--grantee-principal arn:aws:iam::<SharedAccountId>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \
--operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"

应该这样做。现在,您可以在帐户之间共享加密的AMI,并允许Autoscaling Groups使用它们启动实例。

© www.soinside.com 2019 - 2024. All rights reserved.