I am try to understand what does below policy means specially Principal Service part, I have attached it to a AWS KMS key.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}
Does it means that my software(running inside a docker in fargate) can call this KMS key to encrypt data?
OR
Does it means that ecs itself can call this KMS key to encrypt some thing?
In this case it means both things. This is because IAM Roles for Tasks as well as ECS task execution IAM role use the same principle of ecs-tasks.amazonaws.com.
You would have to specify exactly which role in Resource can use the key. For now with * only, any role, either IAM Roles for Tasks or ECS task execution IAM role can use such key.