2

In KMS there are the amazon aliased keys (e.g./alias/aws/s3) and Customer Master Keys (CMKs).

For each development team, I have a few CMKs with aliases (e.g. /alias/team1/default, /alias/team1/confidential)

I'd like to allow access to the aws aliased keys to all IAM users/groups/roles, but provide team level access to team level keys

My issue comes when trying to allow access to aws managed keys

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": [
        "iam:*",
        "kms:*"
      ],
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:MultiFactorAuthAge": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Resource": "arn:aws:kms:us-east-1:111111111111:alias/aws/*",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Condition": {
        "Null": {
          "aws:MultiFactorAuthAge": "false"
        }
      }  
    }
  ]
}

To provide implicit deny to iam:* and kms:*, but allow access to aws aliased Keys

When working with the IAM policy simulator, it looks like I have to provide access to the full key arn (arn:aws:kms:us-east-1:111111111111:key/abcd123-acbd-1234-abcd-acbcd1234abcd) rather than the alias (arn:aws:kms:us-east-1:111111111111:alias/aws/*)

Is there a better way to manage this?

I know I can manage access to CMKs using key policies and not allow access from IAM, but you can't use groups as a Principal in a KMS key policy

maafk
  • 6,176
  • 5
  • 35
  • 58
  • 1
    Be careful with the NotAction element. In your example policy you have granted all services and actions that are NOT iam:* and kms:*. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html – John Hanley Nov 01 '17 at 20:55
  • This is for our dev account and the group I'm making this for is a 'poweruser' group. The idea is they should have the ability to try things and experiment without friction, but should a team decide to encrypt with their own keys, I want the key access isolated – maafk Nov 02 '17 at 00:26

2 Answers2

13

While I know the issue is resolved, I am tempted to posting this from the best source.
An alias cannot be used within policies Refer the following passage from https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

It should be noted that CMK aliases can’t be used within policies. This is because the mapping of aliases to keys can be manipulated outside the policy, which would allow for an escalation of privilege. Therefore, key IDs must be used in KMS key policies, IAM policies, and KMS grants

maafk
  • 6,176
  • 5
  • 35
  • 58
Sujith Babu
  • 339
  • 6
  • 19
8

You can use key alias as the resource for APIs which are used to control access to APIs that act on the Aliases themselves (e.g. Create/Delete Alias) and an alias can not be used as ARN in place of a Key ID to control access to the underlying keys. You can refer to the table in the following URL which explains which resource/ARN to use with KMS APIs.

http://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html

You can consider this approach: Allow the IAM Group to assume an IAM role and allow the IAM role in the CMK's key policy.

Source: https://forums.aws.amazon.com/thread.jspa?threadID=173540

sudo
  • 2,237
  • 1
  • 9
  • 14