73 lines
2 KiB
Text
73 lines
2 KiB
Text
|
{
|
||
|
|
"Id": "key-consolepolicy-3",
|
||
|
|
"Version": "2012-10-17",
|
||
|
|
"Statement": [
|
||
|
|
{
|
||
|
|
"Sid": "Enable IAM User Permissions",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": {
|
||
|
|
"AWS": "arn:aws:iam::{{ aws_caller_info.account }}:root"
|
||
|
|
},
|
||
|
|
"Action": "kms:*",
|
||
|
|
"Resource": "*"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"Sid": "Allow access for Key Administrators",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": {
|
||
|
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
|
},
|
||
|
|
"Action": [
|
||
|
|
"kms:Create*",
|
||
|
|
"kms:Describe*",
|
||
|
|
"kms:Enable*",
|
||
|
|
"kms:List*",
|
||
|
|
"kms:Put*",
|
||
|
|
"kms:Update*",
|
||
|
|
"kms:Revoke*",
|
||
|
|
"kms:Disable*",
|
||
|
|
"kms:Get*",
|
||
|
|
"kms:Delete*",
|
||
|
|
"kms:TagResource",
|
||
|
|
"kms:UntagResource",
|
||
|
|
"kms:ScheduleKeyDeletion",
|
||
|
|
"kms:CancelKeyDeletion"
|
||
|
|
],
|
||
|
|
"Resource": "*"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"Sid": "Allow use of the key",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": {
|
||
|
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
|
},
|
||
|
|
"Action": [
|
||
|
|
"kms:Encrypt",
|
||
|
|
"kms:Decrypt",
|
||
|
|
"kms:ReEncrypt*",
|
||
|
|
"kms:GenerateDataKey*",
|
||
|
|
"kms:DescribeKey"
|
||
|
|
],
|
||
|
|
"Resource": "*"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"Sid": "Allow attachment of persistent resources",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": {
|
||
|
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
|
},
|
||
|
|
"Action": [
|
||
|
|
"kms:CreateGrant",
|
||
|
|
"kms:ListGrants",
|
||
|
|
"kms:RevokeGrant"
|
||
|
|
],
|
||
|
|
"Resource": "*",
|
||
|
|
"Condition": {
|
||
|
|
"Bool": {
|
||
|
|
"kms:GrantIsForAWSResource": "true"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|