5

I'm managing KMS permissions to CMK's across AWS accounts, to prove an account with access to another account's KMS key(s) I'm using Grants rather than policies since AWS suggests they're more temporary which fits my need for all intents and purposes.

I'm aware there's a maximum limit of grants per resource so after I've granted permissions and no longer need them, I should clean up the grant(s).

According to AWS, there's two ways to go about this Retire a grant or Revoke a grant. Each with a slightly different descriptions:

Retire: To retire a grant for an AWS KMS customer master key, use the RetireGrant operation.
        You should retire a grant to clean up after you are done using it.

Revoke: To revoke a grant to an AWS KMS customer master key, use the RevokeGrant operation.
        You can revoke a grant to explicitly deny operations that depend on it.

Is the only difference that Revoke is going to deny any ongoing operations or is there more to it? "you should retire a grant when you are done using it" seems a bit vague and I would like a more technical explanation.

Could someone elaborate with the actual differences between the two and I would appreciate any extra resources on the subject.

Resources I've used:

https://docs.aws.amazon.com/cli/latest/reference/kms/retire-grant.html
https://docs.aws.amazon.com/cli/latest/reference/kms/revoke-grant.html
https://api.spotinst.com/elastigroup-for-aws/tutorials/using-cross-account-kms-key-to-encrypt-ebs-volumes-with-spotinst/
https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant
Tom Nijs
  • 3,835
  • 3
  • 22
  • 40

1 Answers1

9

Both Retire and Revoke result in the grant being deleted and any permissions that it provided being removed. The difference is in who is able to perform this operation.

As the key owner, subject to the standard key access authentication process, you can revoke the grant. In addition, when you create a grant you can assign a retiring principle. This principle can now "clean up" and remove this single grant.

Imagine that you have a principle in another account that you need to grant access to. You trust this principle to remove its access when it has completed its work. So you create a grant, with this principle as the retiring principle and deliver the grant. You expect that the work will be completed and the principle to retire the grant at the end of the week. Let us say that 3 weeks later, you notice that this grant is still active. You then revoke the grant and contact the principle to find out what happened.

ryan
  • 141
  • 1