| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 |
- {
- "Id": "key-consolepolicy-3",
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "Enable IAM User Permissions",
- "Effect": "Allow",
- "Principal": {
- "AWS": [ "arn:aws:iam::${account}:root" ]
- },
- "Action": "kms:*",
- "Resource": "*"
- },
- {
- "Sid": "Allow use of the key",
- "Effect": "Allow",
- "Principal": {
- "AWS": [
- "arn:aws:iam::${account}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
- "arn:aws:iam::${account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet"
- ]
- },
- "Action": [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:DescribeKey"
- ],
- "Resource": "*"
- },
- {
- "Sid": "Allow attachment of persistent resources",
- "Effect": "Allow",
- "Principal": {
- "AWS": [
- "arn:aws:iam::${account}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
- "arn:aws:iam::${account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet"
- ]
- },
- "Action": [
- "kms:CreateGrant",
- "kms:ListGrants",
- "kms:RevokeGrant"
- ],
- "Resource": "*",
- "Condition": {
- "Bool": {
- "kms:GrantIsForAWSResource": "true"
- }
- }
- }
- ]
- }
|
