By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Decrypt CloudWatch logs only if user has KMS access

0

Hey folks,

I have a customer-managed KMS key that was created to encrypt a specific CloudWatch log group. In the key policy, I have something like:

{
 "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Your_account_ID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.region.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:log-group:log-group-name"
                }
            }
        }    
    ]
}

However, anyone in the AWS account can see the decrypted logs. Is it possible to only allow users that have access to this KMS key via kms:Decrypt* to decrypt logs, like we do in S3, or is not possible to do this on CloudWatch log groups?

S3 Example: s3-bucket-access-default-encryption

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAWS Security HubAmazon CloudWatch Logs
Language
English
exceltior
asked 2 months ago553 views
2 Answers
0

Can they see the logs or can they see contents the log streams?

The key policy looks correct. You will be relying on IAM polices to allow users to use the Kms keys.

Review what Kms keys are allowed by iam permissions already assigned to users. Also review the cloud watch log groups are using KMS.

profile picture
EXPERT
Gary Mclean
answered 2 months ago
  • exceltior
    2 months ago

    To be clear, this is a user who has only the "ReadOnlyAccess" policy associated and no explicit access to the key(The key policy is the one above).

    This user can see the log group(correctly encrypted by the KMS), the log streams of that group, and the log events themselves.

    The expected result would be: no access to the logs because it does not have access to the decrypt key.

  • Gary Mclean EXPERT
    2 months ago

    Everything should work based on your information and description of how everything is setup. All I can suggest is double check everything. Log group using the expected Kms key, user has no other policies attached directly or by group member ship, Kms key is correct policy.

0

While IAM does not directly support conditions based on the KMS key for log viewing actions, you can use resource tags and condition keys in IAM policies to approximate this. For example, tag your KMS key and log groups with specific attributes and use those in IAM policy conditions.

Here's an example IAM policy that incorporates tag-based conditions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewEncryptedLogs",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Project": "ProjectX",
                    "aws:ResourceTag/Project": "ProjectX"
                }
            }
        },
        {
            "Sid": "DecryptWithSpecificKMSKey",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:region:account-id:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:RequestTag/Project": "ProjectX",
                    "kms:ViaService": "logs.region.amazonaws.com"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
EXPERT
Mina Gobrial - OptimeCloud
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content