Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Lambda function unable to execute CreateAlias on CMK

0

A customer would like to create customer master keys (CMK) in KMS across all AWS regions. They would also like to use same alias for their CMKs across regions. In order to do that they have a CloudFormation template. But the CloudFormation does not support specifying a key alias http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

They looked at using CustomResource within CloudFormation to invoke a Lambda function. The function takes the key-id and the alias name than tries to apply the alias on the given key-id. Unfortunately the lambda does not have access to execute CreateAlias or any KMS API. It appears the KMS specific Key policy does not have a way to specify lambda ARN, it currently only supports an IAM user or IAM role.

I would like to know if someone else has faced similar problem in the past and if so what were your workaround/solution to it? Also please do suggest if we are missing any documentation or feature or best practice that is already available to accomplish the use case above.

Argomenti
Sicurezza, identità e conformitàServerlessComputazionaliGestione e amministrazione
Tag
Servizio di gestione delle chiavi AWSAWS LambdaAWS CloudFormation
Lingua
English
AWS
Deependra
posta 8 anni fa295 visualizzazioni
1 Risposta
0
Risposta accettata

There is a workaround to grant permissions to assumed-role users by using the aws:userid Policy Variable and [IAM Policy Conditions] (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition). The approach is outlined in this AWS Blog post.

KMS/Lamba-Specific Approach:

  1. Create a new Role to act as the execution role for Lambda. (e.g. lambda_test_kms_execution)
  2. Make sure to give the Execution role permissions to create the alias:
{
            "Effect": "Allow",
            "Action": "kms:CreateAlias",
            "Resource": "*"
        }
  1. Use the AWS CLI to get the Unique RoleId for the role:
aws iam get-role --role-name lambda_test_kms_execution
  • Assume the output contains "RoleId": "ARO1234567890"

  1. Add statement(s) to the KMS key policy that use Condition to match aws:userid against the unique RoleId:

    { "Sid": "Deny IAM User Permissions", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "kms:CreateAlias", "Resource": "*", "Condition": { "StringNotLike": { "aws:userid": "ARO1234567890:*" } } }

AWS
AWS-User-0882354
con risposta 8 anni fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente