![](/img/trans.png)
[英]Create delivery stream (Firehose) from data stream (Kinesis) to OpenSearch AWS
[英]AWS CDK grant decrypt permission to Kinesis Data Stream's AWS managed CMK
我正在使用 AWS 托管 KMS 密钥以及从 stream 读取的交付 Stream 来配置 Kinesis 数据 Stream。在如何为托管密钥的交付 stream 角色添加解密策略方面存在问题。 代码如下所示,问题是使用“aws/kinesis”别名获取密钥不起作用,除非我有办法将依赖项添加到“kinesisStream”资源。 但是在 IKey 接口中没有 'addDependsOn' 方法。 在我尝试获取该密钥之前,如何确保创建 Stream(及其托管的 KMS 密钥)?
const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
streamName: `my-stream`,
shardCount: 1,
encryption: kinesis.StreamEncryption.MANAGED,
retentionPeriod: cdk.Duration.days(1),
});
const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});
// How to add dependency to kinesisStream resource to ensure it's created before trying to fetch KMS key using 'fromLookup'?
// Now getting:
// [Error at /my-stack] Could not find any key with alias named aws/kinesis
const managedKinesisKmsKey = kms.Key.fromLookup(this, 'managedKinesisKmsKey', {
aliasName: 'aws/kinesis',
});
const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
roles: [kinesisStreamRole],
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: [managedKinesisKmsKey.keyArn],
actions: ['kms:Decrypt'],
}),
],
});
您可以使用密钥别名授予对此 AWS 托管密钥的访问权限。 我们知道 Kinesis 服务特定 AWS 托管密钥的别名是“aws/kinesis”。
使用别名控制对 KMS 密钥的访问的 AWS 开发人员指南: https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html
工作液
const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
streamName: `my-stream`,
shardCount: 1,
encryption: kinesis.StreamEncryption.MANAGED,
retentionPeriod: cdk.Duration.days(1),
});
const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});
const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
roles: [kinesisStreamRole],
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: ['*'],
actions: ['kms:Decrypt'],
conditions: {
StringLike: {
'kms:RequestAlias': 'aws/kinesis',
},
},
}),
],
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.