IAM user with admin privileges able to encrypt an EBS volume with a key that does not have this user added as a key user in its Key Policy

Question

I have 2 IAM users (A & B) both having Administrator access. After logging in as 'A', I create a CMK in KMS and specify only 'A' as 'Key administrator' and 'Key user'. However, when I login as 'B' and try creating an encrypted volume using the CMK created by 'A', I am still able to go ahead and get the volume created. I am even allowed to disable the key when logged in as 'B'.

How is it possible that when 'B' is not added as a key user in Key Policy, it is still able to perform encryption of a volume using the key? Am I missing any concept here?

score 2 · Answer 1 · answered Apr 20 '20 at 18:40

2

Did you check if volume is eventually created and healthy/working fine ?

As per https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html:

AWS authenticates the CMK asynchronously. Therefore, if you specify an ID, alias, or ARN that is not valid, the action can appear to complete, but eventually fails.

Also check for kms key policy permissions and see what all access are granted.

answered Apr 20 '20 at 18:40

prashant patankar

51
5

Thanks Prashant. Did you check if volume is eventually created and healthy/working fine ? - Yes, volume is healthy. Also check for kms key policy permissions and see what all access are granted - Key policy permission allows only user A. I am still wondering could this be because both A & B has adminstator access IAM policy although aws documentation says nothing about this. – Abhishek Palakkal Kaliyath Apr 21 '20 at 02:54

IAM user with admin privileges able to encrypt an EBS volume with a key that does not have this user added as a key user in its Key Policy

1 Answers1