En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Minimal Privilege MSK SCRAM KMS Key policy

0

We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Our Security is asking to get the access to this KMS key down to the minimum privilege in the associated KMS key policy.

It seems the recommendation is to use Condition variables. Link : https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html

I have tried to use this in this manner:

Effect: Allow
Action: 
- kms:CreateGrant
- kms:Encrypt
Resource: "*"
Principal: "*"
Condition: 
     StringLike:
         kms:EncryptionContext:aws:secretsmanager:arn: 
          - "arn.aws.secretsmanager:us-west-2:*:secret:AmazonMSK_*"

but i get : "Access to KMS is not allowed"

a condition such as :

 Condition: 
     StringEquals:
         kms:ViaService: "secretsmanager.us-west-2.amazonaws.com"

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

Sujets
Sécurité, identité et conformitéAnalytique
Balises
Service AWS Key ManagementStreaming géré par Amazon pour Apache Kafka (Amazon MSK)Gestionnaire de secrets AWS
Langue
English
cb
demandé il y a un an712 vues
1 réponse
0
Réponse acceptée

I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encryption-context. Use extreme caution when updating the key policies so they don't become unmanageable -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html. Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:

{
    "Sid": "AllowUseOfTheKeyForSecretsManager",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
        }
    }
}
AWS
AWS-Everett
répondu il y a un an
  • cb
    il y a un an

    That one works. Thanks!

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents