Decrypt CloudWatch logs only if user has KMS access

Question

Hey folks,

I have a customer-managed KMS key that was created to encrypt a specific CloudWatch **log group**. In the key policy, I have something like:

```
{
 "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Your_account_ID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.region.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:log-group:log-group-name"
                }
            }
        }    
    ]
}
```

However, anyone in the AWS account **can see the decrypted logs**. Is it possible to only allow users that have access to this KMS key via `kms:Decrypt*` to decrypt logs, like we do in S3, or is not possible to do this on CloudWatch log groups?

S3 Example: [s3-bucket-access-default-encryption](https://repost.aws/knowledge-center/s3-bucket-access-default-encryption)

Answer

While IAM does not directly support conditions based on the KMS key for log viewing actions, you can use resource tags and condition keys in IAM policies to approximate this. For example, tag your KMS key and log groups with specific attributes and use those in IAM policy conditions.

Here's an example IAM policy that incorporates tag-based conditions:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewEncryptedLogs",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Project": "ProjectX",
                    "aws:ResourceTag/Project": "ProjectX"
                }
            }
        },
        {
            "Sid": "DecryptWithSpecificKMSKey",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:region:account-id:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:RequestTag/Project": "ProjectX",
                    "kms:ViaService": "logs.region.amazonaws.com"
                }
            }
        }
    ]
}
```

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

Answer

Can they see the logs or can they see contents  the log streams?

The key policy looks correct. You will be relying on IAM polices to allow users to use the Kms keys.

Review what Kms keys are allowed by iam permissions already assigned to users. 
Also review the cloud watch log groups are using KMS.

Decrypt CloudWatch logs only if user has KMS access

関連するコンテンツ