本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
以資源為基礎的政策範例 AWS KMS
AWS DMS 可讓您建立自訂 AWS KMS 加密金鑰,以加密支援的目標端點資料。若要了解如何建立金鑰政策,並將之附加至您為支援目標資料加密所建立的加密金鑰,請參閱 建立和使用 AWS KMS 金鑰來加密 Amazon Redshift 目標資料 和 建立加 AWS KMS 密 Amazon S3 目標物件的金鑰。
用於 AWS KMS 加密 Amazon Redshift 目標資料的自訂加密金鑰政策
下列範例顯示您針對 AWS KMS 加密金鑰所建立金鑰政策的 JSON,而此金鑰是您為了加密 Amazon Redshift 目標資料而建立。
{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }
您可以在此處查看金鑰政策參照角色的位置,以存取您在建立金鑰之前所建立的 Amazon Redshift 目標端點資料。在此範例中,那是 DMS-Redshift-endpoint-access-role。您也可以查看不同委託人 (使用者和角色) 允許的不同金鑰動作。例如,任何具有 DMS-Redshift-endpoint-access-role 的使用者都能加密、解密和重新加密目標資料。這樣的用戶還可以生成數據密鑰進行導出以加密外部的數據 AWS KMS。它們還可以返回有關 AWS KMS 密鑰的詳細信息,例如您剛創建的密鑰。此外,這類使用者可以管理 AWS
資源的附件,例如目標端點。
用於 AWS KMS 加密 Amazon S3 目標資料的自訂加密金鑰政策
下列範例顯示您針對 AWS KMS 加密金鑰所建立金鑰政策的 JSON,而此金鑰是您為了加密 Amazon S3 目標資料而建立。
{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ]
您可以在此處查看金鑰政策參照角色的位置,以存取您在建立金鑰之前所建立的 Amazon S3 目標端點資料。在此範例中,那是 DMS-S3-endpoint-access-role。您也可以查看不同委託人 (使用者和角色) 允許的不同金鑰動作。例如,任何具有 DMS-S3-endpoint-access-role 的使用者都能加密、解密和重新加密目標資料。這樣的用戶還可以生成數據密鑰進行導出以加密外部的數據 AWS KMS。它們還可以返回有關 AWS KMS 密鑰的詳細信息,例如您剛創建的密鑰。此外,這類使用者可以管理 AWS
資源的附件,例如目標端點。
