使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Minimal Privilege MSK SCRAM KMS Key policy

0

We are using MSK SCRAM which registers Secrets Manager secrets for authentication. This does require a separate symmetric KMS key to be used with the secrets. The secrets are required to be of the form 'AmazonMSK_*'. Our Security is asking to get the access to this KMS key down to the minimum privilege in the associated KMS key policy.

It seems the recommendation is to use Condition variables. Link : https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html

I have tried to use this in this manner:

Effect: Allow
Action: 
- kms:CreateGrant
- kms:Encrypt
Resource: "*"
Principal: "*"
Condition: 
     StringLike:
         kms:EncryptionContext:aws:secretsmanager:arn: 
          - "arn.aws.secretsmanager:us-west-2:*:secret:AmazonMSK_*"

but i get : "Access to KMS is not allowed"

a condition such as :

 Condition: 
     StringEquals:
         kms:ViaService: "secretsmanager.us-west-2.amazonaws.com"

works, but is not specific enough. Does someone know what EncryptionContext could be used for secretsmanager conditions?

主題
安全性、身分識別與合規分析
標籤
AWS Key Management ServiceAmazon Managed Streaming for Apache Kafka (Amazon MSK)AWS Secrets Manager
語言
English
cb
已提問 1 年前檢視次數 712 次
1 個回答
0
已接受的答案

I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encryption-context. Use extreme caution when updating the key policies so they don't become unmanageable -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html. Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:

{
    "Sid": "AllowUseOfTheKeyForSecretsManager",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
        }
    }
}
AWS
AWS-Everett
已回答 1 年前
  • cb
    1 年前

    That one works. Thanks!

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容