3

I'm hoping some AWS policy expert may be able to help me decode what's going on here.

I've been playing with IAM and resource policies in AWS. According to AWS's own documentation, unless there are any explicit denies in all of the policies, the resource policy should take precedence over the IAM policy. See the attached link showing AWS's policy evaluation logic. If the resource policy is an 'allow', then the IAM policy shouldn't be evaluated.

Policy Evaluation Logic

The challenge I'm struggling to get to grasps with (when using KMS) is this. I have defined an user IAM policy that looks like this:

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DeleteAlias"
            ],
            "Resource": "*"
        }
    ]
}

Its only purpose is to permit a user to delete a KMS CMK alias. And, I have created a KMS CMK (resource policy), that looks like this:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxx:user/user1"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Delete*"
            ],
            "Resource": "*"
        },
}

The problem I'm having, despite the KMS resource policy saying I can 'CreateAlias', AWS is not allowing me to do it unless the IAM policy explicitly has it included too.

I'm hoping someone may be able to explain to me how AWS's policy logic actually works and whether I may be doing something wrong.

Many thanks in advance!

pete
  • 33
  • 4
  • Is this cross-account? – luk2302 Sep 21 '21 at 11:29
  • Nope, all within a single account. – pete Sep 21 '21 at 11:30
  • So user1 has the policy attached? – Marcin Sep 21 '21 at 11:50
  • Yes. Sorry I didn't make that clear. The IAM policy above is user1's policy. – pete Sep 21 '21 at 12:21
  • What is the exact cli call you are performing and what is the exact error message you receive? – luk2302 Sep 21 '21 at 12:43
  • I'm using the console. This is the error message it is throwing: AccessDeniedException - User: arn:aws:iam::xxxxxxxxx:user/user1 is not authorized to perform: kms:CreateAlias on resource: arn:aws:kms:eu-west-2:xxxxxxxxxx:alias/test. If I add CreateAlias to IAM it works, even though CreateAlias is already in the CMK policy. – pete Sep 21 '21 at 12:53
  • How did it go? Still unclear why you need IAM policies? – Marcin Sep 23 '21 at 00:38
  • Thanks Marcin. It makes perfect sense to me now. Thanks for finding the relevant AWS help pages. – pete Sep 26 '21 at 19:38

2 Answers2

4

This is because kms alias actions are unique and require both KMS key and IAM policy permissions. Specifically kms:CreateAlias must be allowed in both key policy and IAM policy of your user1:

enter image description here

This means that KMS key policies apply only to keys, not aliases.

Marcin
  • 215,873
  • 14
  • 235
  • 294
0

I believe that the culprit could be that you are missing the kms:DescribeKey in both the IAM and the resource policy. It is listed as required in Controlling access to Aliases document.

  • kms:CreateAlias for the KMS key. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.
{
  "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"},
  "Action": [
    "kms:CreateAlias",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
Nick
  • 1,203
  • 5
  • 8
  • Thanks. Didn't work though. I added 'kms:DescribeKey' to both the IAM and KMS policies to no effect. I still have the issues of: if the KMS policy permits me to do something, but the IAM policy doesn't, it prevents me from doing it. This is despite the AWS policy evaluation logic stipulating that resource policies take precedence over IAM policies, provided there aren't any explicit denies anywhere. – pete Sep 21 '21 at 13:20
  • 1
    @Nick This is because key aliases are unique and require special permissions in IAM policies. Permissions in key policy only are not enough to manage key aliases. – Marcin Sep 21 '21 at 23:39