By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross-Account KMS Key Alias ARN - Invalid Key provided by the user Error

0

We are facing some issues when trying to use** KMS Key Alias ARN** with some AWS Services

In our AWS Organization We are using a Centralized AWS Account to store CMK Keys generated externally and then Imported to KMS in the Centralizzed Account.

Each of our Application Accounts in Production Environment has its own Key stored in the centralized Account with a Key Policy that allows All Principals from the Application Account to use the Key for** Cryptographic Operations**.

To be able to rotate keys in the future, We are associating a Key Alias to each created key which then will be moved to newer versions of the Key in case of rotation.

So I was wondering if there are any AWS Services that don't support the use of KMS Key Alias ARN when using Cross-Account/Same-Account Keys ?

The Question arises from a test we already did by trying to create an AWS Backup Vault with a KMS Key Alias ARN and this what We recieved :

An error occurred (InvalidParameterValueException) when calling the CreateBackupVault operation: Invalid Key provided by the user. Key Aliases are not supported for this operation. (Service: AWSKMS; Status Code: 400; Error Code: InvalidArnException; Request ID: dfb6d7d3-e65e-4bed-ad67-8ae710244d7b; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; Proxy: null) (Service: AmazonCryoStorage; Status Code: 400; Error Code: IllegalArgumentException; Request ID: 799b6fbf-57aa-43e6-a870-552f89a84c21; Proxy: null)

  • kumo-hiyori
    9 months ago

    Is there a reason why you want to do manual key rotation over automatic key rotation? KMS can rotate your key on behalf and it's the most convenient and easiest way to do so.

  • Peter Eskandar
    9 months ago

    for security requirements we should use CMK KMS Keys with key Materials generated externally using a third-party provider. In this case automatic rotation isn't supported and we need to do the rotation manually or by using the same third-party provider.

  • kumo-hiyori
    9 months ago

    If you can share, may I ask what exactly is the security requirement and for what reason?

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Key Management ServiceAWS BackupEncryption
Language
English
profile picture
Peter Eskandar
asked 9 months ago594 views
1 Answer
0

I have seen that there are many AWS services that do not support the use of the Alias on a KMS key and you have to use the uuid.

Also be aware and I can’t remember off the top of my head that there is a limit/rate limit of the number of Kms decrypt/encrypt cross account as apposed to local account transactions. I think it was so many per second/minute but can’t remember.

profile picture
EXPERT
Gary Mclean
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content