Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Minimal Privilege MSK SCRAM KMS Key policy

0

We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Our Security is asking to get the access to this KMS key down to the minimum privilege in the associated KMS key policy.

It seems the recommendation is to use Condition variables. Link : https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html

I have tried to use this in this manner:

Effect: Allow
Action: 
- kms:CreateGrant
- kms:Encrypt
Resource: "*"
Principal: "*"
Condition: 
     StringLike:
         kms:EncryptionContext:aws:secretsmanager:arn: 
          - "arn.aws.secretsmanager:us-west-2:*:secret:AmazonMSK_*"

but i get : "Access to KMS is not allowed"

a condition such as :

 Condition: 
     StringEquals:
         kms:ViaService: "secretsmanager.us-west-2.amazonaws.com"

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

Temas
Seguridad, identidad y cumplimientoAnálisis
Etiquetas
AWS Key Management ServiceAmazon Managed Streaming for Apache Kafka (Amazon MSK)AWS Secrets Manager
Idioma
English
cb
preguntada hace un año712 visualizaciones
1 Respuesta
0
Respuesta aceptada

I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encryption-context. Use extreme caution when updating the key policies so they don't become unmanageable -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html. Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:

{
    "Sid": "AllowUseOfTheKeyForSecretsManager",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
        }
    }
}
AWS
AWS-Everett
respondido hace un año
  • cb
    hace un año

    That one works. Thanks!

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante