General discussion
-
Topic
-
Enabling CloudTrail to encrypt
Hello guys,Will this key policy work if updated for cloudtrail.Thanks in advance
{
“Version”: “2012-10-17”,
“Id”: “key-consolepolicy-2”,
“Statement”: [
{
“Sid”: “Enable IAM policies”,
“Effect”: “Allow”,
“Principal”: {“AWS”: “arn:aws:iam::111122223333:root”},
“Action”: “kms:*”,
“Resource”: “*”
},{
“Sid”: “Allow use of the key”,
“Effect”: “Allow”,
“Principal”: {“AWS”: [
“arn:aws:iam::111122223333:user/CMKUser”,
“arn:aws:iam::111122223333:role/CMKRole”,
“arn:aws:iam::444455556666:root”
]},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:GenerateDataKey*”,
“kms:DescribeKey”
],
“Resource”: “*”
},
{
“Sid”: “Enable CloudTrail Encrypt Permissions”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “cloudtrail.amazonaws.com”
},
“Action”: “kms:GenerateDataKey*”,
“Resource”: “*”,
“Condition”: {
“StringLike”: {
“kms:EncryptionContext:aws:cloudtrail:arn”: [
“arn:aws:cloudtrail:*:111111111111:trail/*”,
“arn:aws:cloudtrail:*:222222222222:trail/*”
]
}
}
}