SEITE 13

Listing: Beispielrichtlinie

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToPerformS3ActionsOn-
Test",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}



SEITE 24

Listing 1: IAM-Policy für den Zugriff auf KMS

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}


Listing 2: KMS-Key-Policy zur Berechtigung von usern

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-1",
"Statement": [
{
"Sid": "Allow access for Key Adminis
trators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/
KMSAdminUser"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/
EncryptionUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}