By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to enable IAM policies for KMS keys in Chinese regions?

0

In most regions the following KMS key policy

{
  "Sid": "Enable IAM policies",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:root"
   },
  "Action": "kms:*",
  "Resource": "*"
}

allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.

However, in the Beijing and Ningxia Regions, there is no concept of the "root user" or "account user" credentials. Creating KMS key with such policy (replacing arn:aws: with arn:aws-cn:) fails. Is it possible to enable IAM policies for KMS keys in Chinese regions? If so, how?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS Account ManagementIAM Policies
Language
English
Chernetskyi
asked a year ago236 views
1 Answer
3
Accepted Answer

To enable IAM policies for KMS keys in Chinese regions, you can follow the below steps:

Open the AWS Key Management Service (KMS) console in the Chinese region where you want to enable IAM policies.

Choose the KMS key for which you want to enable IAM policies.

In the key details page, select the "Key Policy" tab.

Choose the "Edit" button to edit the key policy.

Add the following statement to the key policy:

"Statement": [ { "Sid": "Enable IAM Policies", "Effect": "Allow", "Principal": {"AWS": ""}, "Action": "kms:", "Resource": "*", "Condition": {"Bool": {"kms:AWSAccountId": "true"}} } ]

Save the key policy.

Once you enable IAM policies for KMS keys in the Chinese region, you can use IAM policies to control access to your KMS keys. For example, you can create an IAM policy that allows users to use a specific KMS key for encryption and decryption operations, but does not allow them to delete the key or modify its key policy.

Note that enabling IAM policies for KMS keys in the Chinese region is subject to specific regulatory requirements and may require additional steps. Please refer to the AWS documentation and consult with legal and regulatory compliance experts for guidance on specific requirements in the Chinese region.

AWS_Guy
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content