Why publisher need Key Permission to use SSE-KMS SQS

0

Why publisher need Key Permission to use server side encrypted (SSE-KMS) SQS? I understand SQS use client role to fetch key details from KMS and that’s why publisher need required key permission. However, it’s not intuitive for client to have key permission in case SSE. So, what is the reason for this? One reason for this could to secure keys from SQS as a service. However, in case the publisher is another AWS service like EventBridge or SNS then that service has the access to Key. So, it's still confusing.

1 Answer
0

Hi!

Some AWS services are what is often referred to as "instance-based" where the compute unit (for lack of a better word, but it could be an instance or container or something like Lambda) is executed on behalf of one account; there you can assign an execution role and assign permissions to that, the compute unit has it's own identity so to say.

Other services like SQS do not have their own customer-controlled execution roles; they this identity and therefore rely on the caller's identity: the signed request is validated and as part of that validation, the caller's identity is determined. The service can then request a set of temporary credentials which it can use for the duration to make a request (from a pre-determined, tightly regulated list of actions) towards other services, which will then in turn validate if the caller is allowed to take that action. This makes it possible for the services to work without having to run with very high privileges and protects customer data.

So when Alice send a message to an SQS queue which has been configured to use KMS key KeyA, she will need to use a recent version of the SDK which supports Signature V4 (or in some fashion ensure that her request has a SigV4 signature), and SQS will first use IAM to establish if Alice has permission to send to the queue. If she has, the compute unit will see if it has a valid DataKey for this queue in the cache. If it has one then it will use it but if not, the compute unit will contact KMS on Alice's behalf and obtain a new DataKey. Now the DataKey is available, the message payload will be encrypted with the DataKey and stored in the queue together with the DataKey encrypted by KMS key KeyA.

For Bob to be able to recieve the message, he will need to use a SigV4-signed request which will be validated to see if he is allowed to receive from the queue. If he is, then the compute unit will look at the message and compare it's cached keys with the KeyID of the DataKey used to decrypt the message. If the DataKey isn't cached, then SQS will contact KMS on behalf of Bob and ask for the DataKey to be encrypted. The compute unit can now decrypt the payload and Bob can finally read what Alice sent to the queue.

Hope this helps to clarify.

with kind regards,
Bent T

profile pictureAWS
Bent_T
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions