- Newest
- Most votes
- Most comments
To refine access to your Customer Managed Key (CMK) in AWS KMS for specific administrative actions and restrict its use to only EBS and S3 services, you'll need to modify the key policy. AWS Key Management Service (KMS) allows you to define who can administer and use the CMKs through key policies.
Adjusting the Key Policy Here's a simplified example of how you might adjust your key policy to meet these requirements. Remember, you'll need to replace placeholders like <YourAccountId> with your actual AWS account ID and <UserOrGroupArn> with the ARN(s) of the user(s) or IAM group(s) you want to grant permissions to:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YourAccountId>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"<AdminUserOrGroupArn>"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"<UserOrGroupArnForEBSAndS3>"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.<Region>.amazonaws.com",
"s3.<Region>.amazonaws.com"
]
}
}
}
]
}
This policy allows specified administrators to manage the key while restricting its usage to EBS and S3 services through the kms:ViaService condition. Ensure you update <Region> to match your AWS region.
Key Rotation Every 90 Days Regarding key rotation, AWS KMS supports automatic rotation only once a year and doesn't offer an out-of-the-box solution for more frequent rotations. If you need to rotate keys every 90 days, you'll have to implement a custom solution. This could involve using AWS Lambda functions triggered by Amazon CloudWatch Events (or Amazon EventBridge) to call the CreateKey and UpdateAlias API operations to create a new CMK and update the alias to point to the new CMK every 90 days.
Relevant content
- asked 2 years ago
- Accepted Answer
- asked 7 months ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Regarding rotation frequency, stay tuned!
Thanks for quick help. As per my understanding, In AWS, Customer Managed Keys (CMKs), also known as Key Management Service (KMS) keys, are essentially Key Encryption Keys (KEKs) used for encrypting and decrypting Data Encryption Keys (DEKs). It's observed that AWS doesn't offer full control to customers for rotating keys as immediately as Azure does. While attempting to update an existing alias to point to a new key, I noticed that the process merely attaches or points the alias to the new keyID without affecting the current key. However, at the level of Elastic Block Store (EBS) volumes, the KMS KeyID remains unchanged, still referencing the old KMS key without alias (since alias moved to new keyid) even after waiting for over an hour. If I'm missing a step or doing something incorrectly, could you guide me through the correct procedure?
And, I'm unsure, Even if AWS automatically rotates the KMS key annually, does the updated key automatically reflect in services like EBS and S3, or is manual updating required?
I used below az cli command to update alias. aws kms update-alias --alias-name alias/Key04 --target-key-id xxxxx-xxxxx-xxxxx-xxxx