KMS key policy to allow access to the key only to the role used to create the key

0

Looking for a KMS key policy that satisfies the following requirement. The role that a user/program assumes to create a KMS key is specified in the key's policy as the only role/user which being assumed may access the key in the future. If such policy is possible, then what it is? If not, then which specific feature of KMS doesn't allow it?

The approach described below has been unsuccessful.

Through the AWS console in account 444444444444, I can create a KMS key with a policy (see below).

KMSCreateCustomerKeyRole in account 444444444444 is a cross-account role for account 3333333333333. In the latter there is encryption_key_manager user in a user group that can assume KMSCreateCustomerKeyRole.

Logging into AWS console as a encryption_key_manager user and assuming KMSCreateCustomerKeyRole, a key with the same policy also gets created successfully.

{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::444444444444:root"
        },
        "Action": "kms: *",
        "Resource": "*"
    },
    {
        "Sid": "Deny for everyone except the specified role and user",
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": [
                "arn:aws:iam::444444444444:root",
                "arn:aws:sts::444444444444:assumed-role/KMSCreateCustomerKeyRole/ encryption_key_manager",
                "arn:aws:iam::444444444444:role/KMSCreateCustomerKeyRole"
            ]
        },
        "Action": "kms: *",
        "Resource": "*"
    }
]
}

So far, it works in the sense that other users/role can't access the key through the console.

However, key creation should be done programmatically, so to test this policy I try to create a key via cli. CLI uses the KMSCreateCustomerKeyRole profile, which points to the default encryption_key_manager profile with aws credentials file as

[default] 
role_arn = arn:aws:iam::444444444444:role/KMSCreateCustomerKeyRole source_profile = encryption_key_manager

[encryption_key_manager]  
aws_access_key_id = .....

get-caller-identity returns

{
"UserId": "AAAAAAAAAAAAAAA:botocore-session-1640070193",
"Account": "444444444444",
"Arn": "arn:aws:sts::444444444444: assumed-role/KMSCreateCustomerKeyRole/botocore-session-1640070193"
}

Key generation request

 aws kms create-key --description another_key --policy file: //policy.json --region us-east-2

results in an error occurred (MalformedPolicyDocumentException) when calling the CreateKey operation: The new key policy will not allow you to update the key policy in the future.

Same error is produced for encryption_key_manager profile

 aws kms create-key --description another_key --policy file: //policy.json --profile encryption_key_manager --region us-east-2

I thought that this may happen because while using command line we pass to AMS KMS an ARN with session-id, and KMS can't match this ARN to any of ARN in the array for NotPrincipal in Deny part of the policy. I have added the ARN with session id (arn:aws:sts::444444444444: assumed-role/ KMSCreateCustomerKeyRole/botocore-session-1640070193) to the ARN's array, but the error stays the same.

已提问 2 年前21445 查看次数
1 回答
1
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-2",
  "Statement": [
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {"AWS": [
        "arn:aws:iam::111122223333:role/KeyCreatorRole"
      ]},
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}

This is taken from the examples found here: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

profile pictureAWS
专家
kentrad
已回答 2 年前
  • This doesn't work. I am using role to access KMS key and have given role access to key policy but still with role I can't even describe key.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则