By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Giving users control of their keys

0

Sorry - i am a newbie…apologies for the simplicity of my question.

I have an application that computes sensitive user data in a Nitro enclave using KMS and CMK. My users encrypt their data on their device and decryption takes place in the enclave. Computed results and user data points are encrypted again in the enclave and sent to main server for storage. Users can then request encrypted results which they decrypt on their device. Whole point is for raw data to be unreadable at all time, including (and especially) by me (application owner)

Problem is that whilst IAM policies ensure keys are used correctly, I am still able to change policies relating to keys. This creates risk for my users. Whilst Cloudtrail can give visibility of changes, it can’t stop them.

What I really want is my users to have control of their key policies through some sort of MFA, where no changes can be made without their approval.

Is this possible or is there another solution?

Thank you very much in advance - have a great day1

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
DomPeer
asked 7 months ago171 views
2 Answers
0

There is an example in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-user-mfa although the example uses EC2 actions:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:StopInstances",
      "ec2:TerminateInstances"
    ],
    "Resource": ["*"],
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
  }]
}

It uses the global condition key aws:MultiFactorAuthPresent to determine whether MFA is used. However, please notice that the condition key is not available for all the use cases. For the availability of the condition key, please check https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent.

profile pictureAWS
Feng_C
answered 7 months ago
  • RichardFan
    5 months ago

    The question is not about enforcing MFA, it's about who control the key This answer is irrelevant.

0

Hi DomPeer,

You are right that the KMS key owner (In your case, I assumes it's you) can change the key policy without approval from others.

So in your case, one possible solution would be having your customer owning the key, and let them create a key policy to allow your enclave (through IAM condition) to use the key

However, in reality, it's always not feasible to have all the customers owning their AWS accounts and manage the key. So you'll probably need to think a solution where the key is stored in the client side (e.g. having customer create a master password and use algorithm e.g. PBKDF2 to generate the key, or saving it in the client apps, etc.)

The key takeaway is that in most enclave applications, only the enclave environment is trusted by all parties. Other parts around it (e.g. encryption key, storage, etc.) are not and need to be owned by its owner

RichardFan
answered 5 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content