Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Decrypt CloudWatch logs only if user has KMS access

0

Hey folks,

I have a customer-managed KMS key that was created to encrypt a specific CloudWatch log group. In the key policy, I have something like:

{
 "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Your_account_ID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.region.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:log-group:log-group-name"
                }
            }
        }    
    ]
}

However, anyone in the AWS account can see the decrypted logs. Is it possible to only allow users that have access to this KMS key via kms:Decrypt* to decrypt logs, like we do in S3, or is not possible to do this on CloudWatch log groups?

S3 Example: s3-bucket-access-default-encryption

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Servizio di gestione delle chiavi AWSHub di sicurezza AWSRegistri di Amazon CloudWatch
Lingua
English
exceltior
posta 3 mesi fa570 visualizzazioni
2 Risposte
0

Can they see the logs or can they see contents the log streams?

The key policy looks correct. You will be relying on IAM polices to allow users to use the Kms keys.

Review what Kms keys are allowed by iam permissions already assigned to users. Also review the cloud watch log groups are using KMS.

profile picture
ESPERTO
Gary Mclean
con risposta 3 mesi fa
  • exceltior
    3 mesi fa

    To be clear, this is a user who has only the "ReadOnlyAccess" policy associated and no explicit access to the key(The key policy is the one above).

    This user can see the log group(correctly encrypted by the KMS), the log streams of that group, and the log events themselves.

    The expected result would be: no access to the logs because it does not have access to the decrypt key.

  • Gary Mclean ESPERTO
    2 mesi fa

    Everything should work based on your information and description of how everything is setup. All I can suggest is double check everything. Log group using the expected Kms key, user has no other policies attached directly or by group member ship, Kms key is correct policy.

0

While IAM does not directly support conditions based on the KMS key for log viewing actions, you can use resource tags and condition keys in IAM policies to approximate this. For example, tag your KMS key and log groups with specific attributes and use those in IAM policy conditions.

Here's an example IAM policy that incorporates tag-based conditions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewEncryptedLogs",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Project": "ProjectX",
                    "aws:ResourceTag/Project": "ProjectX"
                }
            }
        },
        {
            "Sid": "DecryptWithSpecificKMSKey",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:region:account-id:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:RequestTag/Project": "ProjectX",
                    "kms:ViaService": "logs.region.amazonaws.com"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
ESPERTO
Mina Gobrial - OptimeCloud
con risposta 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente