0

I need to add a policy in KMS to allow only few users/roles to read from KMS CMK. But I also need to have a policy where in I can pass a role ARN with a wildcard. When I do this using below, I cannot pass wildcard because a wildcard is not allowed along with ARN in AWS principal.

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567891:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
                ]
}

Hence I tried using below format. But I am getting error "PutKeyPolicy request failed MalformedPolicyDocumentException - The new key policy will not allow you to update the key policy in the future."

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789123:root",
                        "arn:aws:iam::123456789123:role/service-role/dev-role",
                        "arn:aws:iam::123456789123:role/stage-role",                        
                        "arn:aws:iam::123456789123:role/wildcardrole-cognito-12345-authRole*"
                    ]
                }
            }
        }
    ]
}
Pavan Kumar
  • 129
  • 7
  • The second policy does not allow anyone to use the key, plus it explicitly denies some. Change it to an allow policy with a StringLike – luk2302 Jun 21 '23 at 17:45

0 Answers0