By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Minimum privilege AWS MSK SCRAM KMS key

0

We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Security is asking to get the access to this KMS key down to the minimum privilege in the KMS key policy.

It seems the recommendation is to use Condition variables. Link : https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html

I have tried to use this in this manner: Effect: Allow Action: -kms:CreateGrant

  • kms:Encrypt Resource: "" Principal: "" Condition: StringLike: kms:EncryptionContext:aws:secretsmanager:arn: - "arn.aws.secretsmanager:us-west-2::secret:AmazonMSK_"

but i get : "Access to KMS is not allowed"

a condition such as :

Condition: StringEquals: kms:ViaService: "secretsmanager.us-west-2.amazonaws.com"

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

Topics
Security, Identity, & ComplianceAnalytics
Tags
AWS Key Management ServiceAmazon Managed Streaming for Apache Kafka (Amazon MSK)AWS Secrets Manager
Language
English
cb
asked a year ago275 views
1 Answer
0

Hi CB.

I hope you are doing well, I have found your post without an answer and wish to provide some insights should you need to revisit in the future. Based on my understanding, it seems that the encryption context that AWS Secrets Manager uses when it calls AWS KMS includes the Amazon Resource Name (ARN) of the secret in the aws:secretsmanager:resource/primary field.

you can specify this field in the KMS key policy to restrict the use of the key to specific secrets. Here's an example of how you can structure your KMS key policy to give AWS Secrets Manager access to use the KMS key only for specific secrets:

I have created a sample Json code for your reference using the information found at https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html

{ "Sid": "Allow use of the key for AmazonMSK secret", "Effect": "Allow", "Principal": {"Service": "secretsmanager.amazonaws.com"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "", "Condition": {"StringLike": {"aws:secretsmanager:resource/primary": "arn:aws:secretsmanager:us-west-2::secret:AmazonMSK_"}} }

In the sample policy, the condition restricts the AWS KMS actions to the Secrets Manager secrets that start with AmazonMSK_ in their name.

Please adjust the region and account id in the ARN based on your own setup. Note that your actual account id should replace :: in the ARN. The principal service should be secretsmanager.amazonaws.com and not the ARN of the secret, because it's the Secrets Manager service that performs actions on the KMS key, not the secret itself.

I hope this helps you in minimizing the access privileges for your KMS key used in MSK SCRAM authentication.

Best regards, Victor

HDVALI
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content