Minimum privilege AWS MSK SCRAM KMS key


We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Security is asking to get the access to this KMS key down to the minimum privilege in the KMS key policy.

It seems the recommendation is to use Condition variables. Link :

I have tried to use this in this manner: Effect: Allow Action: -kms:CreateGrant

  • kms:Encrypt Resource: "" Principal: "" Condition: StringLike: kms:EncryptionContext:aws:secretsmanager:arn: - ""

but i get : "Access to KMS is not allowed"

a condition such as :

Condition: StringEquals: kms:ViaService: ""

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

1 回答

Hi CB.

I hope you are doing well, I have found your post without an answer and wish to provide some insights should you need to revisit in the future. Based on my understanding, it seems that the encryption context that AWS Secrets Manager uses when it calls AWS KMS includes the Amazon Resource Name (ARN) of the secret in the aws:secretsmanager:resource/primary field.

you can specify this field in the KMS key policy to restrict the use of the key to specific secrets. Here's an example of how you can structure your KMS key policy to give AWS Secrets Manager access to use the KMS key only for specific secrets:

I have created a sample Json code for your reference using the information found at

{ "Sid": "Allow use of the key for AmazonMSK secret", "Effect": "Allow", "Principal": {"Service": ""}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "", "Condition": {"StringLike": {"aws:secretsmanager:resource/primary": "arn:aws:secretsmanager:us-west-2::secret:AmazonMSK_"}} }

In the sample policy, the condition restricts the AWS KMS actions to the Secrets Manager secrets that start with AmazonMSK_ in their name.

Please adjust the region and account id in the ARN based on your own setup. Note that your actual account id should replace :: in the ARN. The principal service should be and not the ARN of the secret, because it's the Secrets Manager service that performs actions on the KMS key, not the secret itself.

I hope this helps you in minimizing the access privileges for your KMS key used in MSK SCRAM authentication.

Best regards, Victor

已回答 1 年前

您未登录。 登录 发布回答。