本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 基準 KMS 金鑰和 IAM 政策陳述式
此處提供的基準 KMS 金鑰和身分型政策是常見需求的基礎。我們也建議您檢閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)以提供更精細的存取控制,例如確保 KMS 金鑰只能由特定 IAM Identity Center 執行個體或 AWS 受管應用程式存取。在使用進階 KMS 金鑰政策陳述式之前,請檢閱 [選擇基準與進階 KMS 金鑰政策陳述式的考量](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline)。
以下各節提供每個使用案例的基準政策陳述式。展開符合您使用案例的區段,並複製 KMS 金鑰政策陳述式。然後,返回 [步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements)。
## 使用 IAM Identity Center 的基準 KMS 金鑰政策陳述式 (必要)
在 中使用下列 KMS 金鑰政策陳述式範本[步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements),以允許 IAM Identity Center、其相關聯的 Identity Store 和 IAM Identity Center 管理員使用 KMS 金鑰。
+ 在管理員政策陳述式的主體元素中 AWS ,指定 IAM Identity Center 管理帳戶的帳戶主體,這是 AWS 組織管理帳戶和委派的管理帳戶,格式為 "arn:aws:iam::111122223333:root"。
+ 在 PrincipalArn 元素中,將範例 ARNs 取代為 IAM Identity Center 管理員的 IAM 角色。
您可以指定下列其中一項:
+ 特定 IAM 角色 ARN:
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_12345678"`
+ 萬用字元模式 (建議):
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_*"`
如果刪除並重新建立許可集,使用萬用字元 (`*`) 可防止存取遺失,因為 Identity Center 會為重新建立的許可集產生新的唯一識別符。如需實作範例,請參閱 [自訂信任政策範例](referencingpermissionsets.md#custom-trust-policy-example) 。
+ 在 SourceAccount 元素中,指定 IAM Identity Center 帳戶 ID。
+ Identity Store 有自己的服務主體 `identitystore.amazonaws.com`,必須允許其使用 KMS 金鑰。
+ 這些政策陳述式允許特定 AWS 帳戶中的 IAM Identity Center 執行個體使用 KMS 金鑰。若要限制對特定 IAM Identity Center 執行個體的存取,請參閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)。每個 AWS 帳戶只能有一個 IAM Identity Center 執行個體。
KMS 金鑰政策陳述式
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
}
]
}
```
在 中使用下列 IAM 政策陳述式範本[步驟 4:設定 KMS 金鑰跨帳戶使用的 IAM 政策](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key),以允許 IAM Identity Center 管理員使用 KMS 金鑰。
+ 將 `Resource` 元素中的範例金鑰 ARN 取代為您實際的 KMS 金鑰 ARN。如需尋找參考識別符值的說明,請參閱 [尋找所需識別符的位置](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 這些 IAM 政策陳述式會將 KMS 金鑰存取權授予 IAM 主體,但不會限制哪些 AWS 服務可以提出請求。KMS 金鑰政策通常會提供這些服務限制。不過,您可以將加密內容新增至此 IAM 政策,以限制特定 Identity Center 執行個體的用量。如需詳細資訊,請參閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)。
IAM Identity Center 委派管理員所需的 IAM 政策陳述式
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases",
"Effect": "Allow",
"Action": "kms:ListAliases",
"Resource": "*"
}
]
}
```
## 使用 AWS 受管應用程式的基準 KMS 金鑰和 IAM 政策陳述式
**注意**
某些 AWS 受管應用程式無法與以客戶受管 KMS 金鑰設定的 IAM Identity Center 搭配使用。如需詳細資訊,請參閱[AWS 使用 IAM Identity Center 的受管應用程式](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html)。
在 中使用下列 KMS 金鑰政策陳述式範本[步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements),以允許 AWS 受管應用程式及其管理員使用 KMS 金鑰。
+ 在 PrincipalOrgID 和 SourceOrgId 條件中插入您的 AWS Organizations ID。如需尋找參考識別符值的說明,請參閱 [尋找所需識別符的位置](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 這些政策陳述式允許組織中的任何 AWS 受管應用程式和任何 IAM 主體 (應用程式管理員) AWS 使用 kms:Decrypt 使用 IAM Identity Center 和 Identity Store。若要將這些政策陳述式限制為特定 AWS 受管應用程式、帳戶或 IAM Identity Center 執行個體,請參閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)。
您可以將 取代` *`為特定 IAM 主體,以限制特定應用程式管理員的存取。若要在重新建立許可集時防止 IAM 角色名稱變更,請使用 中的 方法[自訂信任政策範例](referencingpermissionsets.md#custom-trust-policy-example)。如需詳細資訊,請參閱[選擇基準與進階 KMS 金鑰政策陳述式的考量](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline)。
KMS 金鑰政策陳述式
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```
在 中使用下列 IAM 政策陳述式範本[步驟 4:設定 KMS 金鑰跨帳戶使用的 IAM 政策](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key),以允許受管應用程式的管理員 AWS 使用成員帳戶中的 KMS 金鑰。
+ 將資源元素中的範例 ARN 取代為您實際的 KMS 金鑰 ARN。如需尋找參考識別符值的說明,請參閱 [尋找所需識別符的位置](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
+ 有些 AWS 受管應用程式會要求您設定 IAM Identity Center 服務 APIs許可。在 IAM Identity Center 中設定客戶受管金鑰之前,請確認這些許可也允許使用 KMS 金鑰。如需特定 KMS 金鑰許可要求,請參閱您已部署之每個 AWS 受管應用程式的文件。
AWS 受管應用程式管理員所需的 IAM 政策陳述式:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 使用 的基準 KMS 金鑰陳述式 AWS Control Tower
在 中使用下列 KMS 金鑰陳述式範本[步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements),以允許 AWS Control Tower 管理員使用 KMS 金鑰。
+ 在主體元素中,指定用於存取 IAM Identity Center 服務 APIs IAM 主體。如需 IAM 主體的詳細資訊,請參閱《*IAM 使用者指南*》中的[指定主體](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 這些政策陳述式允許 AWS Control Tower 管理員透過任何 IAM Identity Center 執行個體使用 KMS 金鑰。不過, AWS Control Tower 會限制存取相同組織中 IAM Identity Center AWS 的組織執行個體。由於此限制,無法進一步將 KMS 金鑰限制為特定 IAM Identity Center [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md) 執行個體,如 中所述。
+ 若要在重新建立許可集時協助防止 IAM [自訂信任政策範例](referencingpermissionsets.md#custom-trust-policy-example) 角色名稱變更,請使用中所述的方法。
KMS 金鑰政策聲明:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
AWS Control Tower 不支援委派的管理,因此您不需要為其管理員設定 IAM 政策。
**重要**
上述政策陳述式涵蓋 AWS Control Tower 服務受管操作,例如自動註冊帳戶,其中 AWS Control Tower 擔任該`AWSControlTowerAdmin`角色。不過,對於客戶起始的操作,例如透過 Account Factory 佈建帳戶或直接呼叫 AWS Control Tower APIs, AWS Control Tower 會使用[轉送存取工作階段 (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html),並在客戶自己的 IAM 角色下操作。這表示您用來啟動這些操作的 IAM 角色也需要客戶受管 KMS 金鑰的`kms:Decrypt`許可。
將下列 KMS 金鑰政策陳述式與上述`AWSControlTowerAdmin`陳述式一起新增。將 *MyControlTowerRole* 取代為您用來互動之 IAM 角色的 ARN AWS Control Tower,例如 IAM Identity Center 許可集角色 (例如 `AWSReservedSSO_PermissionSetName_*`)、用於自動化的自訂 IAM 角色,或任何其他用於呼叫 AWS Control Tower 或 AWS Service Catalog APIs的角色。
客戶起始 AWS Control Tower 操作的 KMS 金鑰政策陳述式:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityCenterForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityStoreForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
## 將 IAM Identity Center 用於 Amazon EC2 執行個體的基準 KMS 金鑰和 IAM 政策陳述式
在 中使用下列 KMS 金鑰政策陳述式範本[步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements),以允許 Amazon EC2 執行個體的單一登入 (SSO) 使用者跨帳戶使用 KMS 金鑰。
+ 在主體欄位中指定用於存取 IAM Identity Center 的 IAM 主體。如需 IAM 主體的詳細資訊,請參閱《*IAM 使用者指南*》中的[指定主體](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 此政策陳述式允許任何 IAM Identity Center 執行個體使用 KMS 金鑰。若要限制對特定 IAM Identity Center 執行個體的存取,請參閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)。
+ 若要在重新建立許可集時協助防止 IAM 角色名稱變更,請使用自訂信任政策範例中所述的方法。
KMS 金鑰政策陳述式
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
在 中使用下列 IAM 政策陳述式範本[步驟 4:設定 KMS 金鑰跨帳戶使用的 IAM 政策](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key),以允許 SSO 到 EC2 執行個體使用 KMS 金鑰。
將 IAM 政策陳述式連接到您用來允許 SSO 存取 Amazon EC2 執行個體的 IAM Identity Center 中現有的許可集。如需 IAM 政策範例,請參閱 *AWS Systems Manager 使用者指南*中的[遠端桌面通訊協定連線](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html#rdp-iam-policy-examples)。
+ 將資源元素中的範例 ARN 取代為您實際的 KMS 金鑰 ARN。如需尋找參考識別符值的說明,請參閱 [尋找所需識別符的位置](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
許可集 IAM 政策:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 搭配 IAM Identity Center 使用自訂工作流程的基準 KMS 金鑰和 IAM 政策陳述式
在 中使用下列 KMS 金鑰政策陳述式範本[步驟 2:準備 KMS 金鑰政策陳述式](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements),以允許 AWS Organizations 管理帳戶或委派管理帳戶中的自訂工作流程使用 KMS 金鑰。請注意,客戶受管應用程式的 SAML 聯合不需要 KMS 金鑰許可。
+ 在主體元素中,指定用於存取 IAM Identity Center 服務 APIs IAM 主體。如需 IAM 主體的詳細資訊,請參閱《*IAM 使用者指南*》中的[指定主體](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
+ 這些政策陳述式可讓您的工作流程透過任何 IAM Identity Center 執行個體使用 KMS 金鑰。若要限制對特定 IAM Identity Center 執行個體的存取,請參閱 [進階 KMS 金鑰政策陳述式](advanced-kms-policy.md)。
+ 若要在重新建立許可集時協助防止 IAM [自訂信任政策範例](referencingpermissionsets.md#custom-trust-policy-example) 角色名稱變更,請使用中所述的方法。
KMS 金鑰政策聲明:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
在 中使用下列 IAM 政策陳述式範本[步驟 4:設定 KMS 金鑰跨帳戶使用的 IAM 政策](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key),以允許與自訂工作流程相關聯的 IAM 主體跨帳戶使用 KMS 金鑰。將 IAM 政策陳述式新增至 IAM 主體。
+ 將資源元素中的範例 ARN 取代為您實際的 KMS 金鑰 ARN。如需尋找參考識別符值的說明,請參閱 [尋找所需識別符的位置](identity-center-customer-managed-keys.md#find-the-required-identifiers)。
IAM 政策陳述式 (僅適用於跨帳戶使用):
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## 常見使用案例的 KMS 金鑰政策陳述式範例
### 具有委派管理員和 AWS 受管應用程式的 IAM Identity Center
本節包含範例 KMS 金鑰政策陳述式,可用於具有委派管理員和 AWS 受管應用程式的 IAM Identity Center 執行個體。
**重要**
KMS 金鑰政策陳述式假設您的 IAM Identity Center 執行個體不會用於需要 KMS 金鑰許可的任何其他使用案例。若要確認,您可以檢閱所有[使用案例](identity-center-customer-managed-keys.md#identify-use-cases)。此外,若要確認您的受管 AWS 應用程式是否需要其他組態,請參閱 [某些 AWS 受管應用程式中的其他組態](identity-center-customer-managed-keys.md#additional-config-in-some-aws-apps)
複製資料表下方的 KMS 金鑰政策陳述式,並將其新增至您的 KMS 金鑰政策。此範例使用下列範例值:
+ `111122223333` - IAM Identity Center 執行個體的帳戶 ID
+ `444455556666` - 委派的管理帳戶 ID
+ `o-a1b2c3d4e5` - AWS 組織 ID
+ ` arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*` - 從許可集 *Admin* 佈建的 IAM Identity Center 管理員 IAM 角色萬用字元模式。這類角色包含主要區域的區域代碼 (在此範例中為us-east-1)。
+ ` arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*` - 從許可集 *DelegatedAdmin* 佈建的 IAM Identity Center 委派管理員 IAM 角色的萬用字元模式。這類角色包含主要區域的區域代碼 (在此範例中為us-east-1)。
如果 IAM 角色不是從許可集產生,IAM 角色看起來會像一般角色,例如 `arn:aws:iam::111122223333:role/idcadmin`。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```