"Version": "2012-10-17",
"Statement": [
{
"Sid": "SId#1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789",
"kms:GranteePrincipal": "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"CreateGrant",
"DescribeKey",
"Encrypt",
"Decrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext"
]
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "Sid#2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:root",
"arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
]
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789",
"kms:ViaService": "ec2.us-east-1.amazonaws.com"
}
}
}
]
+ "kms:CallerAccount" = "123456789"
+ "kms:GranteePrincipal" = "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
}
}
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::123456789:root"
}
+ Resource = "*"
+ Sid = "Sid#2"
},
+ {
+ Action = [
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
]
+ Condition = {
+ StringEquals = {
+ "kms:CallerAccount" = "123456789"
+ "kms:ViaService" = "ec2.***.amazonaws.com"
}
}
+ Effect = "Allow"
+ Principal = {
+ AWS = [
+ "arn:aws:iam::123456789:root",
+ "arn:aws:iam::123456789:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService",
]
}
+ Resource = "*"
+ Sid = "Sid#1"
},
]
+ Version = "2012-10-17"
}
)
}