0

Need to get a better solution for the below problem statement:-

my secrets and config are encrypted via Mozilla sops and let's say the first time Devops team will do this at there end, but DevOps team will NoT encrypt the config all the time for the developer. To solve this problem we want to give access to Developer and when we think to give access to them we need to put the security in the first place. Currently, we are thinking of creating a master box and give access to the selective 2 members of the team who have this kind of access. But as per current situation if both the two developers are not available we need to give them access to 3rd and eventually one day everybody in the team has that access which we don’t want, what we want is without giving any kind other access to the developer, Means he can only play with his KMS keys, not the other available KMS keys which not belongs to him, Is this possible?

Because when we give KMS resource access to that person, eventually all the key access he has which is in KMS Portal, So for that, we Need to Give Fined grained access to Developers to access the Specific KMS key which belongs to his project. No permission more than that !

me25
  • 497
  • 5
  • 18
  • Don't really understand what you're trying to do? You want to give access, but then you say, `what we want is without giving any kind of access to the developer can we solve this problem`. Do you mean you want to give each developer access to only particular KMS keys and not all of the KMS keys? – Paradigm May 30 '20 at 17:53
  • yes, you are absolutely right, need to give each developer access to only particular KMS keys and not all of the KMS keys. – me25 Jun 02 '20 at 09:10

1 Answers1

0

One way to restrict access of KMS keys for each user (or developer) is to use key policies for your customer master keys (CMKs) in AWS KMS. This documentation goes through how key policies can be used: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

{
  "Sid": "Allow root account full access",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::444455556666:root"},
  "Action": "kms:*",
  "Resource": "*"
},
{
  "Sid": "Allow specific permissions to dev user",
  "Effect": "Allow",
  "Principal": {"AWS": [
    "arn:aws:iam::444455556666:user/dev1"
  ]},
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Note: In a key policy, you use * for the resource, which means "this CMK". A key policy applies only to the CMK it is attached to.

Paradigm
  • 1,876
  • 1
  • 12
  • 16