Cross-Account KMS Key Alias ARN - Invalid Key provided by the user Error

0

We are facing some issues when trying to use** KMS Key Alias ARN** with some AWS Services

In our AWS Organization We are using a Centralized AWS Account to store CMK Keys generated externally and then Imported to KMS in the Centralizzed Account.

Each of our Application Accounts in Production Environment has its own Key stored in the centralized Account with a Key Policy that allows All Principals from the Application Account to use the Key for** Cryptographic Operations**.

To be able to rotate keys in the future, We are associating a Key Alias to each created key which then will be moved to newer versions of the Key in case of rotation.

So I was wondering if there are any AWS Services that don't support the use of KMS Key Alias ARN when using Cross-Account/Same-Account Keys ?

The Question arises from a test we already did by trying to create an AWS Backup Vault with a KMS Key Alias ARN and this what We recieved :

An error occurred (InvalidParameterValueException) when calling the CreateBackupVault operation: Invalid Key provided by the user. Key Aliases are not supported for this operation. (Service: AWSKMS; Status Code: 400; Error Code: InvalidArnException; Request ID: dfb6d7d3-e65e-4bed-ad67-8ae710244d7b; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; Proxy: null) (Service: AmazonCryoStorage; Status Code: 400; Error Code: IllegalArgumentException; Request ID: 799b6fbf-57aa-43e6-a870-552f89a84c21; Proxy: null)

  • Is there a reason why you want to do manual key rotation over automatic key rotation? KMS can rotate your key on behalf and it's the most convenient and easiest way to do so.

  • for security requirements we should use CMK KMS Keys with key Materials generated externally using a third-party provider. In this case automatic rotation isn't supported and we need to do the rotation manually or by using the same third-party provider.

  • If you can share, may I ask what exactly is the security requirement and for what reason?

profile picture
已提問 7 個月前檢視次數 504 次
1 個回答
0

I have seen that there are many AWS services that do not support the use of the Alias on a KMS key and you have to use the uuid.

Also be aware and I can’t remember off the top of my head that there is a limit/rate limit of the number of Kms decrypt/encrypt cross account as apposed to local account transactions. I think it was so many per second/minute but can’t remember.

profile picture
專家
已回答 7 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南