0

I've got an AWS key generated and an S3 file which I wanted to encrypt server-side. I don't understand why one of the users can decrypt it though. The setup I've got is:

Key with 3 policy statements:

  • arn:aws:iam::${AWS::AccountId}:root with access to kms:*
  • arn:aws:iam::${AWS::AccountId}:user/bank_trans_admin with access to kms:Encrypt and kms:DescribeKey
  • Instance profile with access to kms:Decrypt and kms:DescribeKey

I'm using aws-vault with the bank_trans_admin configured. Using that, I uploaded some file, which worked as expected:

aws-vault exec bank_trans_admin -- aws s3 cp --sse aws:kms --sse-kms-key-id alias/TransactionAccountsKey the_file s3://some-bucket/

I verified in the AWS web console that the file is encrypted using KMS/sse.

But now I wanted to make sure I can't use decryption on the same account, so I did:

aws-vault exec bank_trans_admin -- aws s3 cp --sse aws:kms --sse-kms-key-id alias/TransactionAccountsKey s3://some-bucket/the_file the_file

and it worked! I expected to be denied access, since I allowed only Encrypt for this IAM user. What am I missing here?

viraptor
  • 1,296
  • 6
  • 21
  • 41
  • What happens when bank_trans_admin has **no** permissions on the key? – Michael - sqlbot Jun 18 '17 at 11:05
  • @Michael-sqlbot That was a good question. Removing all key statements from that user didn't change the situation. I forgot that the user is an admin on KMS. If that's what you were thinking, do you want to submit it as answer? – viraptor Jun 19 '17 at 08:49
  • I did suspect that it might work anyway, but it was something of an intuitive guess. Honestly, though, the mechanism that SSE-KMS uses to assert the user's identity to KMS is not clear to me. Does KMS implicitly trust S3's assertion of the identity of the authenticated user? "Hi, I need this key because Mallory asked me to ask you for it" seems unconvincing. Before answering, I'd like to understand how and why a user's permission on the key allows the request to pass through another service (S3) with the original requester's identity intact -- intuition isn't satisfied with "it just does." – Michael - sqlbot Jun 19 '17 at 16:39

0 Answers0