我已经设置了一个 CMK(自定义托管 key )来使用 AWS 系统 session 管理器加密日志组:
错误:
指定的 KMS key 不存在或不允许与 LogGroup 'arn:aws:logs:my_region:my_account_id:log-group:/SSM'一起使用
key 必须存在,因为它用于加密 session 并且只是没有正确解密日志组,但它链接到日志组并且用户具有权限。是什么赋予了?
最佳答案
我试过 复制您的问题 .
我的 session 管理器 设置 :
CloudWatch 日志组已被 加密 使用命令行:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
基于此验证,使其工作唯一需要的是设置 KMS key 策略。我在 KMS 中添加了以下内容(
SSMRole 是实例角色,其他条目应该是不言自明的):{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}
关于amazon-web-services - 使用 AWS Systems Session Manager 加密 CloudWatch LogGroups 的 KMS 权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62669923/