By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda function unable to execute CreateAlias on CMK

0

A customer would like to create customer master keys (CMK) in KMS across all AWS regions. They would also like to use same alias for their CMKs across regions. In order to do that they have a CloudFormation template. But the CloudFormation does not support specifying a key alias http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

They looked at using CustomResource within CloudFormation to invoke a Lambda function. The function takes the key-id and the alias name than tries to apply the alias on the given key-id. Unfortunately the lambda does not have access to execute CreateAlias or any KMS API. It appears the KMS specific Key policy does not have a way to specify lambda ARN, it currently only supports an IAM user or IAM role.

I would like to know if someone else has faced similar problem in the past and if so what were your workaround/solution to it? Also please do suggest if we are missing any documentation or feature or best practice that is already available to accomplish the use case above.

Topics
Security, Identity, & ComplianceServerlessComputeManagement & Governance
Tags
AWS Key Management ServiceAWS LambdaAWS CloudFormation
Language
English
AWS
Deependra
asked 8 years ago290 views
1 Answer
0
Accepted Answer

There is a workaround to grant permissions to assumed-role users by using the aws:userid Policy Variable and [IAM Policy Conditions] (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition). The approach is outlined in this AWS Blog post.

KMS/Lamba-Specific Approach:

  1. Create a new Role to act as the execution role for Lambda. (e.g. lambda_test_kms_execution)
  2. Make sure to give the Execution role permissions to create the alias:
{
            "Effect": "Allow",
            "Action": "kms:CreateAlias",
            "Resource": "*"
        }
  1. Use the AWS CLI to get the Unique RoleId for the role:
aws iam get-role --role-name lambda_test_kms_execution
  • Assume the output contains "RoleId": "ARO1234567890"

  1. Add statement(s) to the KMS key policy that use Condition to match aws:userid against the unique RoleId:

    { "Sid": "Deny IAM User Permissions", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "kms:CreateAlias", "Resource": "*", "Condition": { "StringNotLike": { "aws:userid": "ARO1234567890:*" } } }

AWS
AWS-User-0882354
answered 8 years ago
profile picture
EXPERT
Sedat Salman
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content