Get aws kms key from ec2 instance

Asked Jan 24 '18 at 05:34

Active Jan 24 '18 at 05:34

Viewed 741 times

I"m trying to avoid hard coding AWS 'KMS key' in a python application running on AWS EC2 instance. The AWS EC2 instance is assigned with an IAM role where access to the particular KMS key is defined. The instance doesnt have access to list all the KMS keys in the account but have access to only one. Is there any way to get the KMS key name, to which it have access from the application(using boto3?) The KMS Key IAM role definition look like this:

            "Action": [
            "kms:Decrypt",
            "kms:DescribeKey",
            "kms:Encrypt",
            "kms:GenerateDataKey",
            "kms:GenerateDataKeyWithoutPlaintext",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus",
            "kms:GetParametersForImport",
            "kms:ListAliases",
            "kms:ListGrants",
            "kms:ListKeyPolicies",
            "kms:ListKeys",
            "kms:ListResourceTags",
            "kms:ListRetirableGrants"
        ],
        "Resource": [
            "arn:aws:kms:xx-xxxx-x:xxxxxxxx:key/yyyy-yyy-yyyy-yyyy-yyyy"
        ]

asked Jan 24 '18 at 05:34

rose

2

You can get the key-alias of the key id, but why you don't want to "hard code" the key arn? – sudo Jan 24 '18 at 07:41
@sudo - wanted to provide more security – rose Jan 24 '18 at 08:02
2

Hiding the ARN is security by obscurity. One can do a brute force attack and figure out the ARN. – Viccari Jan 24 '18 at 16:02

Get aws kms key from ec2 instance

0 Answers0