KMS for CloudWatch( Logs )
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudWatch Logs Service to Use Key",
"Effect": "Allow",
"Principal": {
"Service": "logs.<현재_리전_코드>.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:<현재_리전_코드>:<본인의_계정_ID>:log-group:<생성할_로그_그룹_명_또는_*>"
}
}
},
{
"Sid": "Allow EC2 to View Logs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:role/<생성한_EC2_IAM_Role_이름>"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudWatch Logs Service to Use Key",
"Effect": "Allow",
"Principal": {
"Service": "logs.<YOUR_REGION>.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:<YOUR_REGION>:<YOUR_ACCOUNT_ID>:log-group:<YOUR_LOG_GROUP_NAME>"
}
}
},
{
"Sid": "Allow EC2 to View Logs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_EC2_ROLE_NAME>"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
KMS for RDS (Password)
{
"Version": "2012-10-17",
"Id": "key-policy-for-rds-and-sm",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow EC2 to Decrypt Secrets",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:role/<생성한_EC2_IAM_Role_이름>"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow RDS Service to Create Grants",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:role/<생성한_EC2_IAM_Role_이름>"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow RDS Storage to be Accessed",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<본인의_계정_ID>:role/<생성한_EC2_IAM_Role_이름>"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Id": "key-policy-for-rds-and-sm",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow EC2 to Decrypt Secrets",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_EC2_ROLE_NAME>"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow RDS Service to Create Grants",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_EC2_ROLE_NAME>"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow RDS Storage to be Accessed",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_EC2_ROLE_NAME>"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}