Minimal Privilege MSK SCRAM KMS Key policy


We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Our Security is asking to get the access to this KMS key down to the minimum privilege in the associated KMS key policy.

It seems the recommendation is to use Condition variables. Link :

I have tried to use this in this manner:

Effect: Allow
- kms:CreateGrant
- kms:Encrypt
Resource: "*"
Principal: "*"
          - "*:secret:AmazonMSK_*" 

but i get : "Access to KMS is not allowed"

a condition such as :

         kms:ViaService: ""

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

1 Answer
Accepted Answer

I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> Use extreme caution when updating the key policies so they don't become unmanageable -> Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:

    "Sid": "AllowUseOfTheKeyForSecretsManager",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
    "Action": [
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
answered a year ago
  • That one works. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions