Reputation: 33
AWS IAM and KMS policy 'muddlement'
I'm hoping some AWS policy expert may be able to help me decode what's going on here.
I've been playing with IAM and resource policies in AWS. According to AWS's own documentation, unless there are any explicit denies in all of the policies, the resource policy should take precedence over the IAM policy. See the attached link showing AWS's policy evaluation logic. If the resource policy is an 'allow', then the IAM policy shouldn't be evaluated.
The challenge I'm struggling to get to grasps with (when using KMS) is this. I have defined an user IAM policy that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DeleteAlias"
],
"Resource": "*"
}
]
}
Its only purpose is to permit a user to delete a KMS CMK alias. And, I have created a KMS CMK (resource policy), that looks like this:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxx:user/user1"
]
},
"Action": [
"kms:Create*",
"kms:Delete*"
],
"Resource": "*"
},
}
The problem I'm having, despite the KMS resource policy saying I can 'CreateAlias', AWS is not allowing me to do it unless the IAM policy explicitly has it included too.
I'm hoping someone may be able to explain to me how AWS's policy logic actually works and whether I may be doing something wrong.
Many thanks in advance!
Upvotes: 3
Views: 4027
Answers (2)
Reputation: 238051
This is because kms alias actions are unique and require both KMS key and IAM policy permissions. Specifically kms:CreateAlias must be allowed in both key policy and IAM policy of your user1:
This means that KMS key policies apply only to keys, not aliases.
Upvotes: 4
Reputation: 1273
I believe that the culprit could be that you are missing the kms:DescribeKey in both the IAM and the resource policy. It is listed as required in Controlling access to Aliases document.
- kms:CreateAlias for the KMS key. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.
{
"Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"},
"Action": [
"kms:CreateAlias",
"kms:DescribeKey"
],
"Resource": "*"
}
Upvotes: 0
Related Questions
- AWS IAM policy: Multiple Actions and Multiple Resources
- IAM policy to allow MWAA to use built in AWS KMS key specifies key as "NotResource" to work correctly
- Two contardicting aws policies?
- How to add KMS key policy to an IAM role
- AWS IAM policy issue
- understanding kms policy?
- Getting 'The policy failed legacy parsing' when creating an AWS/IAM policy
- AWS IAM policy issues
- IAM policy to grant access only to Amazon aliased keys
- AWS IAM policy for SQS