아래의 KMS 정책을 사용하면 된다.
•
Singe Log Group
{
"Effect": "Allow",
"Principal": {
"Service": "logs.{region}.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:{region}:{account-id}:log-group:{log-group-name}"
}
}
}
JSON
복사
•
Multi Log Group
{
"Effect": "Allow",
"Principal": {
"Service": "logs.{region}.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"kms:EncryptionContext:aws:logs:arn": [
"arn:aws:logs:{region}:{account-id}:log-group:{log-group-name1}",
"arn:aws:logs:{region}:{account-id}:log-group:{log-group-name2}",
"arn:aws:logs:{region}:{account-id}:log-group:{log-group-name3}"
]
}
}
}
JSON
복사