使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Minimal Privilege MSK SCRAM KMS Key policy

0

We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Our Security is asking to get the access to this KMS key down to the minimum privilege in the associated KMS key policy.

It seems the recommendation is to use Condition variables. Link : https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html

I have tried to use this in this manner:

Effect: Allow
Action: 
- kms:CreateGrant
- kms:Encrypt
Resource: "*"
Principal: "*"
Condition: 
     StringLike:
         kms:EncryptionContext:aws:secretsmanager:arn: 
          - "arn.aws.secretsmanager:us-west-2:*:secret:AmazonMSK_*"

but i get : "Access to KMS is not allowed"

a condition such as :

 Condition: 
     StringEquals:
         kms:ViaService: "secretsmanager.us-west-2.amazonaws.com"

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

主题
安全、身份和合规性分析
标签
AWS 智能钥匙管理服务适用于 Apache Kafka 的亚马逊托管流媒体(亚马逊 MSK)AWS Secrets Manager
语言
English
cb
已提问 1 年前711 查看次数
1 回答
0
已接受的回答

I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encryption-context. Use extreme caution when updating the key policies so they don't become unmanageable -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html. Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:

{
    "Sid": "AllowUseOfTheKeyForSecretsManager",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
        }
    }
}
AWS
AWS-Everett
已回答 1 年前
  • cb
    1 年前

    That one works. Thanks!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容