Cross-Account KMS Key Alias ARN - Invalid Key provided by the user Error


We are facing some issues when trying to use** KMS Key Alias ARN** with some AWS Services

In our AWS Organization We are using a Centralized AWS Account to store CMK Keys generated externally and then Imported to KMS in the Centralizzed Account.

Each of our Application Accounts in Production Environment has its own Key stored in the centralized Account with a Key Policy that allows All Principals from the Application Account to use the Key for** Cryptographic Operations**.

To be able to rotate keys in the future, We are associating a Key Alias to each created key which then will be moved to newer versions of the Key in case of rotation.

So I was wondering if there are any AWS Services that don't support the use of KMS Key Alias ARN when using Cross-Account/Same-Account Keys ?

The Question arises from a test we already did by trying to create an AWS Backup Vault with a KMS Key Alias ARN and this what We recieved :

An error occurred (InvalidParameterValueException) when calling the CreateBackupVault operation: Invalid Key provided by the user. Key Aliases are not supported for this operation. (Service: AWSKMS; Status Code: 400; Error Code: InvalidArnException; Request ID: dfb6d7d3-e65e-4bed-ad67-8ae710244d7b; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; Proxy: null) (Service: AmazonCryoStorage; Status Code: 400; Error Code: IllegalArgumentException; Request ID: 799b6fbf-57aa-43e6-a870-552f89a84c21; Proxy: null)

  • Is there a reason why you want to do manual key rotation over automatic key rotation? KMS can rotate your key on behalf and it's the most convenient and easiest way to do so.

  • for security requirements we should use CMK KMS Keys with key Materials generated externally using a third-party provider. In this case automatic rotation isn't supported and we need to do the rotation manually or by using the same third-party provider.

  • If you can share, may I ask what exactly is the security requirement and for what reason?

profile picture
已提问 7 个月前499 查看次数
1 回答

I have seen that there are many AWS services that do not support the use of the Alias on a KMS key and you have to use the uuid.

Also be aware and I can’t remember off the top of my head that there is a limit/rate limit of the number of Kms decrypt/encrypt cross account as apposed to local account transactions. I think it was so many per second/minute but can’t remember.

profile picture
已回答 7 个月前

您未登录。 登录 发布回答。