By using AWS re:Post, you agree to the Terms of Use
/KMS key policy principal not detected/

KMS key policy principal not detected

0

Hi team,

I have an SFTP user that uses a Sftp_role to put s3 objects inside an encrypted S3 bucket (SSE-KMS / my own KMS key).

I modified the key policy to add another statement :

  • sftp_role as principal
  • actions =
[
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:DescribeKey"
            ]
  • resource = [myencryptedBucketArn, myencryptedBucketArn/*]

the sftp user got an access denied when copying files into the bucket

when I moved this policy to put it directly on the sftp_role it worked and user was able to put files :

  • new policy under sftp_role :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:region:7sj14575037811:key/dafsf-ceasfasf4asf-asfaf-asfasfas123",
            "Effect": "Allow"
        }
    ]
}

I'm just wondering why it doesn't work when I put the role as principal on the key policy, but it worked when I added new policy to the sftp_role itself to give him permission to the key.

Kind Regards

1 Answers
0

It looks like the ARNs specified in the resource element could be for the S3 bucket ([myencryptedBucketArn, myencryptedBucketArn/*]), rather than the KMS key, as in the second policy.

To allow the KMS actions, the resource in the policy will need to be the ARN of the associated KMS key.

answered a month ago
  • sorry, I did not understand the first part of the answer

  • Sorry! On reading your question again, it sounds like you might be talking about two different types of policy - the KMS key policy, and the IAM role policy. The action will need to be allowed in both of these for it to work.

    In the KMS key policy, the resource can be "*", which refers to the KMS key the policy is applied to, and in the IAM policy for the role, the resource will need to be the KMS key, as you already have done.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions