#amazon-web-services #amazon-cloudformation
Вопрос:
Я пытаюсь создать ключ KSM, чтобы использовать его в службе S3, но получаю исключение MalformedPolicyDocument. Вот ресурс:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "KMS Key that will be used to encrypt the data, backup, and temp EBS volumes as well as on the S3 backup bucket to enforce encryption at rest",
"Parameters": {
"ApplicationAssetInsightId": {
"Description": "Application Asset Insight Id for the project used to tag the instance",
"Type": "String",
"AllowedPattern": "[0-9] "
},
"EnvironmentName": {
"Description": "This tag allows products to indicate the environment name, if different from the environment type",
"Type": "String",
"AllowedPattern": "[a-z0-9\.-] "
},
"EnvironmentType": {
"Description": "Environment Type for this instance used to tag the instance. e.g. DEVELOPMENT or PRODUCTION",
"Type": "String",
"AllowedValues": [
"LAB",
"DEVELOPMENT",
"QUALITY ASSURANCE",
"INTEGRATION TESTING",
"PRE-PRODUCTION",
"PRODUCTION"
]
},
"ProjectName": {
"Description": "Name of the project for tagging purposes",
"Type": "String",
"AllowedPattern": "[a-z0-9\.-] "
},
"ResourceOwner": {
"Description": "Resource Owner email id for the instance used for tagging purpose. Should be an email address.",
"Type": "String",
"AllowedPattern": "^[A-Za-z0-9._% -] @[A-Za-z0-9.-] \.[A-Za-z]{2,}$"
}
},
"Resources": {
"kmsKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"EnableKeyRotation": false,
"PendingWindowInDays": 7,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "mssql-kms-key",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/ams_engineer_admin_user_role"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/role/ams_engineer_power_user_role"
]
]
}
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
],
"Tags": [
{
"Key": "application-asset-insight-id",
"Value": {
"Ref": "ApplicationAssetInsightId"
}
},
{
"Key": "environment-type",
"Value": {
"Ref": "EnvironmentType"
}
},
{
"Key": "resource-owner",
"Value": {
"Ref": "ResourceOwner"
}
}
]
}
}
},
"kmsKeyAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": {
"Fn::Sub": "a${ApplicationAssetInsightId}-${ProjectName}-${EnvironmentName}"
},
"TargetKeyId": {
"Ref": "kmsKey"
}
}
}
}
}
```
Комментарии:
1. Каково полное сообщение об ошибке?