2

I am using an AWS RDS database cluster encrypted with a KMS CMK that resides in the same AWS account.

My DB cluster seems to be working fine with the default KMS policy, but I am not sure how RDS has access to the key if I did not specifically grant it.

Is this expected and the best practice? Or do I need to add a specific policy for RDS? I am a bit paranoid that my cluster might be missing permissions and may stop working at some point in the future.

SoftwareFactor
  • 8,430
  • 3
  • 30
  • 34
  • 1
    https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html - RDS does not have access to the CMK but *you* probably have. – luk2302 Jun 15 '21 at 14:57
  • @luk2302, that means I granted RDS permissions to use my CMK when creating the cluster, right? If yes, can I expect that this grant will last indefinitely? – SoftwareFactor Jun 15 '21 at 15:00
  • No and no. When you insert data into the DB *you* need to have access to the key and if you read data *you* need access to the key, RDS itself does not. And if your user / role / group looses that permission then you cannot read the data anymore but someone else who has permission on the key will be able to. And wether or not you are allowed to use the key is either specified in one of the policies attached to you or in the policy attached to the key. – luk2302 Jun 15 '21 at 15:04
  • This is similar to S3 SSE - you specify that S3 should encrypt each object with a given key. And if you then try to write an object that is only possible if you are allowed to use the key and if you want to download / read an object you will get an AccessDenied if you do not have access to the key. – luk2302 Jun 15 '21 at 15:06
  • @luk2302, the RDS DB that I use is Aurora PostgreSQL. It also supports non-IAM-based access. I can connect to it and query/modify records with a native PostgreSQL user and no IAM roles involved. I have difficulty understanding how that fits your explanation of S3 like encryption model. What am I missing? – SoftwareFactor Jun 17 '21 at 14:47

2 Answers2

3

It turned out that there is no need to add a specific policy to allow RDS access to KMS.

RDS gains access to the key from a grant given by the entity creating the DB cluster.

You can view the list of grants by running the following command:

aws kms list-grants --key-id yourkey

Here is a link to the source where I've found this information: https://www.reddit.com/r/aws/comments/f17a25/rds_and_kms_access_a_follow_up/

SoftwareFactor
  • 8,430
  • 3
  • 30
  • 34
2

It seems like you got this working, but the answer may be incomplete if you are using a customer managed CMK. When you use a customer managed KMS CMK, you are in control of who (what) can use your CMK in KMS. For example, if you put in an explicit deny in your CMK Key Policy for kms:creategrant for all principles and restart the database, you will find that the database won't start because it will be unable to load the data. (If you do such a test, make sure you use a single-AZ since the multi-AZ will have a warm failover ready when you reboot it). By default, the key policy enables delegation to IAM, so you can manage access to the key in IAM, but this is not required. You have fine grained control over access to items like creategrant in a customer managed CMK. You can even use conditions of the encryption context to grant some services and deny others, or even specific rds instances or ebs volumes: https://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html

See here for some more information on RDS and the types of encryption supported. https://aws.amazon.com/blogs/database/securing-data-in-amazon-rds-using-aws-kms-encryption/

Also, see here for what is needed for the use of EBS encryption, which is what is used by RDS for storage: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements

Foghorn
  • 2,238
  • 2
  • 13
  • 35