KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager

Question

I've set up a CMK (Custom Managed Key) to encrypt LogGroups with AWS Systems Session Manager:

First, permissions for "key administrators" and "key users/roles" are added in the KMS console.
Next, the CMK is attached in AWS Systems Manager Session Manager Preferences to the LogGroup as shown in this image:

Error:

The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:my_region:my_account_id:log-group:/SSM'

The key must exist because it's used to encrypt the Sessions and is just not decrypting LogGroups properly, but it is linked to the LogGroup and the user has permission. What gives?

score 4 · Accepted Answer · answered Jul 01 '20 at 05:28

I tried to replicate your issue.

My session manger settings:

The CloudWatch log group has been encrypted using CLI:

{
    "logGroups": [
        {
            "logGroupName": "SSM",
            "creationTime": 1593579430258,
            "metricFilterCount": 0,
            "arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
            "storedBytes": 0,
            "kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
        }
    ]
}

After launching the session manger I can get confirmation that it is encrypted:

Based on this verification, the only thing required to make it work was setting KMS key policies. I added the following to my KMS (SSMRole is instance role, the other entries should be self-explenatory):

{
    "Effect": "Allow",
    "Principal": {
        "Service": "logs.us-east-1.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
    ],
    "Resource": "*",
    "Condition": {
        "ArnLike": {
            "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
        }
    }
},    
{
    "Effect": "Allow",
    "Principal": {
        "Service": "ssm.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
    ],
    "Resource": "*"            
}, 
{
    "Effect": "Allow",    
    "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
    ],
    "Resource": "*",
    "Principal": {
        "AWS": "arn:aws:iam::xxxxx:role/SSMRole"
    }      
}

Great success, Marcin. Appreciate the thorough explanation, helps me understand policy usage much better. — ForeverLearningAndCoding, Jul 01 '20 at 06:04
@ForeverLearningAndCoding No problem. These policies could be probably made better by following the "least privileged" criteria, but its good start for future modifications. — Marcin, Jul 01 '20 at 06:05
Some relevant documentation: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html — lxop, Aug 12 '22 at 04:56

KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager

1 Answers1