Lambda function unable to execute CreateAlias on CMK

Question

A customer would like to create customer master keys (CMK) in KMS across all AWS regions. They would also like to use same alias for their CMKs across regions. In order to do that they have a CloudFormation template. But the CloudFormation does not support specifying a key alias http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

They looked at using CustomResource within CloudFormation to invoke a Lambda function. The function takes the key-id and the alias name than tries to apply the alias on the given key-id. Unfortunately the lambda does not have access to execute CreateAlias or any KMS API. It appears the KMS specific Key policy does not have a way to specify lambda ARN, it currently only supports an IAM user or IAM role.

I would like to know if someone else has faced similar problem in the past and if so what were your workaround/solution to it? Also please do suggest if we are missing any documentation or feature or best practice that is already available to accomplish the use case above.

Accepted Answer

There is a workaround to grant permissions to assumed-role users by using 
[the aws:userid Policy Variable](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse) and [IAM Policy Conditions] (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition).  The approach is outlined in this [AWS Blog post](https://blogs.aws.amazon.com/security/post/TxK5WUJK3DG9G8/How-to-Restrict-Amazon-S3-Bucket-Access-to-a-Specific-IAM-Role).

KMS/Lamba-Specific Approach:

1. Create a new Role to act as the execution role for Lambda. (e.g. `lambda_test_kms_execution`)
1. Make sure to give the Execution role permissions to create the alias: 
```
{
            "Effect": "Allow",
            "Action": "kms:CreateAlias",
            "Resource": "*"
        }
```
1.  Use the AWS CLI to get the Unique RoleId for the role:
```
aws iam get-role --role-name lambda_test_kms_execution
```
 * Assume the output contains `"RoleId": "ARO1234567890"`

1.  Add statement(s) to the KMS key policy that use `Condition` to match `aws:userid` against the unique RoleId:

    `{
      "Sid": "Deny IAM User Permissions",
      "Effect": "Deny",
      "Principal": { "AWS": "*" },
      "Action": "kms:CreateAlias",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:userid": "ARO1234567890:*"
        }
      }
    }`

Lambda function unable to execute CreateAlias on CMK

관련 콘텐츠