By using AWS re:Post, you agree to the Terms of Use

Why does cloudtrail not include AccessDeniedExceptions for KMS actions?


Only just starting on my AWS journey but had a refusal at the first fence.

I have a new account that only holds KMS keys. These are eventually going to be under control of a third party. I have successfully allowed users in another account to use those keys for encryption and decryption, with the explicit permission of the KMS account only. (So our customer can 'break glass' and lock us out of their data that we hold if they wish).

I am missing a key requirement though. They wish to be alerted if any attempts to use those keys are made by unknown users or by known users when the key is disabled.

In cloudtrail I have a clear log of successful calls to Encrypt and Decrypt (although not as well integrated as other service logs so the actual Key ID isn't available in the event log list - but that's not really a problem).

Sadly there are no AccessDeniedException entries in the logs at all when I test that scenario. Now I've seen documentation that says they should be there, but they simply aren't. Is there a bit of config that I'm missing? I can see that filtering errors out saves on space if an external party is attempting an attack but we really do want to see when keys are attempted to be used outside the approved "access process" where we have requested permission.

1 Answer

Just to clarify, are you trying to know if access denied errors in Cloudtrail are on the users of the same account where KMS keys were created, or, through another account? If another account, it would probably be in the cloudtrail of the other account.

What is the test scenario look like? Account 1: KMS key Account 2: User trying to access the KMS key in account 1?

answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions