By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Create KMS key with restrictive permission

0

I would like to create a kms key from the root account via console with following very restrictive conditions: The root account can only enable/disable/delete and view policy. The initial policy would grant permission to a specific user on creation for the encrypt/decrypt operations. In the future, the root is only able to delete the key but can not change policy to grant sensitive privileges to itself or another user. This way the user's encrypted data can be guaranteed to stay secure (not guaranteed to be available but that's okay). I tried the following policy but AWS console complains unless I specifically also include PutKeyPolicy in root's permission list. I don't want root to have that privilege. Is this possible? or why not? Is there an alternative? What am I missing?

{
  "Version": "2012-10-17",
  "Id": "test-kms-policy",
  "Statement": [
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<>:root"
      },
      "Action": [
        "kms:ListKeys",
        "kms:CreateKey",
        "kms:ReplicateKey",
        "kms:DescribeKey",
        "kms:UpdateKeyDescription",
        "kms:EnableKey",
        "kms:DisableKey",
        "kms:UpdatePrimaryRegion",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion",
        "kms:ListAliases",
        "kms:CreateAlias",
        "kms:UpdateAlias",
        "kms:DeleteAlias",
        "kms:ListKeyPolicies",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:GetPublicKey",
        "kms:ListResourceTags",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow access for the user",
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::<>:user/user"]
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey",
        "kms:GenerateRandom"
      ],
      "Resource": "*"
    }
  ]
}
Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceIAM Policies
Language
English
shortcircuit
asked 3 days ago90 views
1 Answer
2
Accepted Answer

There's a hardwired safety check in KMS that tries to discourage you from modifying key permissions in a way that would block yourself the right to do so after the change.

You can bypass this safety mechanism with the --bypass-policy-lockout-safety-check option when using the CLI to set the KMS key policy: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/put-key-policy.html

On a general note, I suggest you note that if the IAM user with permissions resides in the same account, root would implicitly have the permissions to reset the IAM user's credentials and MFA to obtain access. Unless you block this from outside the account with an AWS Organizations Service Control Policy (SCP), which is effective even against the root user, the other alternative would be to place the authorised IAM user in another AWS account, where the root of the account containing the key wouldn't have access.

Also note that root could alternatively raise a support ticket with AWS to ask them to restore access to the key in their own account.

EXPERT
Leo K
answered 3 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 18 hours ago
profile picture
EXPERT
A_J
reviewed 2 days ago
  • shortcircuit
    2 days ago

    Thanks Leo for that quick and very educative answer. The idea was certainly to have the user in another AWS account but your latter point about being able to reset access just by raising a support ticket makes this whole thing moot.

Relevant content