1 個回答
- 最新
- 最多得票
- 最多評論
1
The following example IAM policy statement allows the principal to enable and disable KMS keys but only when all aliases of the KMS keys include "Test." This policy statement uses two conditions. The condition with the ForAllValues set operator requires that all aliases associated with the KMS key include "Test". The condition with the ForAnyValue set operator requires that the KMS key have at least one alias with "Test." Without the ForAnyValue condition, this policy statement would have allowed the principal to use KMS keys that had no aliases.
{
"Sid": "AliasBasedIAMPolicy",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:DisableKey"
],
"Resource": "arn:aws:kms:*:111122223333:key/*",
"Condition": {
"ForAllValues:StringLike": {
"kms:ResourceAliases": [
"alias/*Test*"
]
},
"ForAnyValue:StringLike": {
"kms:ResourceAliases": [
"alias/*Test*"
]
}
}
}
已回答 2 年前
相關內容
- 已提問 2 個月前
- AWS 官方已更新 6 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前