0

So we've been trying to create a system where a user logins via AWS Congito. There is an identity pool associated with the user pool, so each authenticated user that logs in gets assigned an IAM Role.

Now what I would like to achieve is to have each user log in and create a new KMS master key. This should should only be accessible by this user and not any other user within the user pool. The problem is that each role gets assigned the same IAM Role. So in each authenticated user can access all the keys created by every user in this pool.

Is there any way I can associate a KMS key with a specific cognito user. So that they are only able to access their keys and are restricted by AWS from accessing any other keys? Any help would be greatly appreciated.

sulaman-akru
  • 1
  • 1
  • If you've made an attempt to restrict which IAM principals can access the key, then show us how you've done that. – jarmod Feb 10 '22 at 11:49
  • I am just trying to restrict assumed-role to access other assumed-role KMS key. Basically i am creating KMS master key for each assumed-role now i want to restrict my assumed-roles to use other assumed-role KMS key – sulaman-akru Feb 10 '22 at 11:55
  • i am really stuck cant figure out any solution can you give me a work around. – sulaman-akru Feb 10 '22 at 11:57
  • Your question is not very clear. If you want a given IAM role to have access to two KMS keys then add both of these key ARNs to the permissions assigned to the roles, and then add both of those role ARNs to the KMS key policy of each key, or use the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam), which allows IAM principals in the same account to control KMS key access through IAM policies. Also see [this answer](https://stackoverflow.com/questions/63177845/understanding-kms-policy). – jarmod Feb 10 '22 at 12:11

0 Answers0