[英]AWS CDK grant decrypt permission to Kinesis Data Stream's AWS managed CMK
我正在使用 AWS 托管 KMS 密钥以及从 stream 读取的交付 Stream 来配置 Kinesis 数据 Stream。在如何为托管密钥的交付 stream 角色添加解密策略方面存在问题。 代码如下所示,问题是使用“aws/kinesis”别名获取密钥不起作用,除非我有办法将依赖项添加到“kinesisStream”资源。 但是在 IKey 接口中没有 'addDependsOn' 方法。 在我尝试获取该密钥之前,如何确保创建 Stream(及其托管的 KMS 密钥)?
const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
streamName: `my-stream`,
shardCount: 1,
encryption: kinesis.StreamEncryption.MANAGED,
retentionPeriod: cdk.Duration.days(1),
});
const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});
// How to add dependency to kinesisStream resource to ensure it's created before trying to fetch KMS key using 'fromLookup'?
// Now getting:
// [Error at /my-stack] Could not find any key with alias named aws/kinesis
const managedKinesisKmsKey = kms.Key.fromLookup(this, 'managedKinesisKmsKey', {
aliasName: 'aws/kinesis',
});
const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
roles: [kinesisStreamRole],
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: [managedKinesisKmsKey.keyArn],
actions: ['kms:Decrypt'],
}),
],
});
您可以使用密钥别名授予对此 AWS 托管密钥的访问权限。 我们知道 Kinesis 服务特定 AWS 托管密钥的别名是“aws/kinesis”。
使用别名控制对 KMS 密钥的访问的 AWS 开发人员指南: https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html
工作液
const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
streamName: `my-stream`,
shardCount: 1,
encryption: kinesis.StreamEncryption.MANAGED,
retentionPeriod: cdk.Duration.days(1),
});
const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});
const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
roles: [kinesisStreamRole],
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: ['*'],
actions: ['kms:Decrypt'],
conditions: {
StringLike: {
'kms:RequestAlias': 'aws/kinesis',
},
},
}),
],
});
从数据 stream (Kinesis) 到 OpenSearch AWS 创建交付 stream (Firehose)
[英]Create delivery stream (Firehose) from data stream (Kinesis) to OpenSearch AWS
发送数据到 AWS Kinesis stream 与 Lambda 跨账户
[英]Sending data to AWS Kinesis stream cross-accounts with Lambda
使用 CDK 使 DynamoDB 表成为 Kinesis Data Stream 的消费者
[英]Make DynamoDB table a consumer for Kinesis Data Stream using CDK
如何在 AWS CDK 中使用 CloudFrontWebDistribution 启用 SecurityHeaders 的托管响应 header 策略?
[英]How to enable managed response header policy of SecurityHeaders with CloudFrontWebDistribution in AWS CDK?
无法向 Secrets Manager AWS CDK GoLang 授予 lambda 读取访问权限
[英]Not able to grant lambda read access to Secrets manager AWS CDK GoLang
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.