How to add the "kms:CallerAccount" condition to a KMS key used for encrypting CloudWatch logs?

Question

I can't seem to use the "kms:CallerAccount" condition in a KMS customer managed key used for encrypting existing CloudWatch log groups.

I followed the official docs and created a symmetric KMS key with the following policy which allows the key to be used with any log group (account ID redacted):

{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxx:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "logs.eu-central-1.amazonaws.com"
      },
      "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
      ],
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-central-1:xxx:*"
        },
        "StringEquals": {
          "kms:CallerAccount": "xxx"
        }
      }
    }
  ]
}

The only difference between the policy from the docs and my policy is that my policy has the "kms:CallerAccount" condition:

"StringEquals": {
    "kms:CallerAccount": "xxx"
}

I get the following error when I try to associate my key with the log group /aws/batch/job:

❯ aws logs associate-kms-key --log-group-name /aws/batch/job --kms-key-id arn:aws:kms:eu-central-1:xxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

An error occurred (AccessDeniedException) when calling the AssociateKmsKey operation: The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:eu-central-1:xxx:log-group:/aws/batch/job'

I can associate the key with the log group without errors when I remove the "kms:CallerAccount" condition from the key's policy.

How do I include the "kms:CallerAccount" condition in a customer managed key used for encrypting CloudWatch log groups?

Answer 1

I ended up openning an AWS support case and this is the reply I got:

Based off the key policy provided, you are saying that only identities from the account "xxx" have the ability to call the KMS actions listed in the policy as well as the CloudWatch service. It will not be necessary to include the "CallerAccount" condition key, since the existing condition key "encryption context" scopes this key down to a particular region, account number, and log group name. Following this documentation (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html), specifically the section "AWS KMS keys and encryption context" shows how the encryption context condition key can be used to scope down the usage of this KMS key as you have specified.

I tested the policy in my own environment and saw that a key with this policy condition could not be used with a CloudWatch group, but if you remove the condition and add it to the key after the key is in use by the log group it does not break it. There is a check in CloudWatch used in the key policy that is not compatible with this condition key, and that is why we must use the key policy shown in the docs, which still accomplishes encrypting your CloudWatch logs.