By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does kms:ViaService support FIPS endpoints, such as in GovCloud?

0

Hello, my question is just whether or not I could use the kms:ViaService condition key in a IAM policy with FIPS endpoints specified? I need to use FIPS endpoints for compliance reasons and I can't find any documentation that details this. The Kms:Via Service supported services table does not include FIPS endpoints (Services that support the kms:ViaService condition key - example elasticfilesystem.AWS_region.amazonaws.com). See here - https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service

An example of the IAM policy would be - https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "elasticfilesystem.us-east-2.amazonaws.com", "kms:CallerAccount": "111122223333"

But I would like to use - "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "elasticfilesystem-fips.us-gov-east-1.amazonaws.com", "kms:CallerAccount": "111122223333"

Should this work? I feel like it would because for compliance reasons a lot of GovCloud workloads are required to use FIPS endpoints and this seems like a gap otherwise.

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
rePost-User-0313018
asked a year ago471 views
3 Answers
0
Accepted Answer

"So for the CloudFormation templates, I would not put the FIPS endpoint name in the template itself, but rely on the env variable to ensure the FIPS endpoint is used, correct?" - That is correct

"Such as for my CloudFormation template example above I would leave it as it is, I wouldn't need to change it to fsx-fips.us-gov-west-1.amazonaws.com. Would changing the CF template to the FIPS endpoints even work?" - You'd leave as it is. setting the string value for the kms:viaService condition key to fsx***-fips***.us-gov-west-1.amazonaws.com, won't match the expected service name fsx.us-gov-west-1.amazonaws.com, and hence wouldn't have the expected outcome for this condition key usage i.e. Allowing or Denying KMS operations for a role/user, via the FSx service.

AWS
Rajarshi_D
answered a year ago
0

Hi, as listed in table 'Services that support the kms:ViaService condition key' documentation, you've referenced, the value in the condition key is the service name e.g. s3.AWS_region.amazonaws.com or elasticfilesystem.AWS_region.amazonaws.com. Think of it as the service principal name but with the region included. Therefore, for the AWS GovCloud (US) West region, the value would be s3.us-gov-west-1.amazonaws.com, elasticfilesystem.us-gov-west-1.amazonaws.com.

Once the KMS policy is setup with the kms:viaService condition key, the use of FIPS endpoints in the US Standard Commercial Regions US East/West and the GovCloud regions, can be achieved using the AWS CLI and AWS SDKs. In the case of the AWS CLI, you can either use the environment variable AWS_USE_FIPS_ENDPOINT set to True, or the value use_fips_endpoint = True in your ~/.aws/config file. Alternatively, you can also use the endpoint_url parameter to specify the endpoint. The AWS SDKs, also support the usage of the AWS_USE_FIPS_ENDPOINT flag and endpoint_url as a parameter programatically.

For instance, copying a file onto an S3 bucket using the AWS CLI in GovCloud West region, specifying the KMS Key with the key policy set with the kms:viaService key, with the FIPS endpoint specified , would look like this:

aws s3 cp <local file name> s3://<bucket-name>/<key-name> --sse aws:kms --sse-kms-key-id arn:aws-us-gov:kms:us-gov-west-1:<AWS Account ID>:key/<uuid> --endpoint-url https://s3-fips.us-gov-west-1.amazonaws.com

The condition key would be set as follows (more conditions can be added):

            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-gov-west-1.amazonaws.com"
                }
            }
AWS
Rajarshi_D
answered a year ago
  • rePost-User-0313018
    a year ago

    Thanks for the reply and explanation!

    Am I reading this right, 1) FIPS endpoints would only work for kms:ViaService with the AWS CLI or SDK, 2) Using the FIPS endpoint value in the condition key would not work 3) I would still always use the 'regular' endpoint name in the condition key (because of the env variable setup)

    My concern is with 3rd party tools that would use an IAM role that grants them the kms permission used for creating Fsx via a CloudFormation template, but I suppose the env variable would cover this? See below for an example from an actual template -

    - Sid: Basic Access to KMS Key for FSx Filesystem Creation via CSP role
  Effect: Allow
  Principal:
    AWS:
      Ref: 'OpsRoleARN'
  Action:
  - kms:Decrypt
  - kms:GenerateDataKey*
  - kms:CreateGrant
  - kms:DescribeKey
  Resource: "*"
  Condition:
    StringEquals:
      kms:ViaService:
      - fsx.us-gov-west-1.amazonaws.com
0
  1. The kms:viaService condition key doesn't determine endpoint usage. The AWS CLI and SDKs are used as part of a workload, for operations on AWS services, and can be configured to use the FIPS endpoints.
  2. The condition key value represents more the aws service principal name with the domain name. It indicates to KMS, which service is trying to perform a KMS operation on behalf of an aws principal e.g. role, user e.g. * OpsRoleARN*
  3. You'd use the AWS KMS ViaService name listed in the docs. It appears to have the same format as the general service endpoint.

CloudFormation will setup the infrastructure. The IAM role with the condition key would still take effect for Fsx operations.

Hope this helps.

AWS
Rajarshi_D
answered a year ago
  • rePost-User-0313018
    a year ago

    Thanks again!

    So for the CloudFormation templates, I would not put the FIPS endpoint name in the template itself, but rely on the env variable to ensure the FIPS endpoint is used, correct?

    Such as for my CloudFormation template example above I would leave it as it is, I wouldn't need to change it to fsx-fips.us-gov-west-1.amazonaws.com. Would changing the CF template to the FIPS endpoints even work?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content