By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Assign Role For Administrative and Usage Permission KMS

0

I want to enable Kubernetes secret encryption. In order to do that, I need to create KMS key first. When creating KMS key, there's page to choose what roles that will be assigned to administrative and usage permission.

Enter image description here Enter image description here

My question is, what roles should I choose for Administrative and Usage permission ?

My assumption is this :

Administrative

  • Role that will manage KMS (update key policy, add/remove tags, enable/disable automatic rotate KMS key, create/delete alias, enable/disable key, delete key)
  • Role that will setup kubernetes secret encryption.

Usage

  • Role that will manage KMS (update key policy, add/remove tags, enable/disable automatic rotate KMS key, create/delete alias, enable/disable key, delete key)
  • Role that will setup kubernetes secret encryption.
  • EKS role service

Are those assignment correct ?

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAmazon Elastic Kubernetes ServiceIAM PoliciesEncryption
Language
English
apriliopajri
asked a year ago301 views
1 Answer
0

When creating a KMS key for encrypting Kubernetes secrets, the roles assigned to the administrative and usage permissions determine who is allowed to perform certain actions on the key.

For the administrative permissions, you should choose the role that will be responsible for managing the key, such as creating, modifying, or deleting it. This role should typically be assigned to a user or group within your organisation that has the necessary privileges for managing KMS keys.

For the usage permissions, you should choose the role that will be used to perform the encryption and decryption operations on the key. In the case of Kubernetes secrets, this role should be assigned to the worker nodes that run the containers in your cluster. You can do this by granting the necessary permissions to the worker node IAM role.

Ref: https://archive.eksworkshop.com/beginner/191_secrets

https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth

https://aws.github.io/aws-eks-best-practices/security/docs/data/

EXPERT
cloudgeek7
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content