Reputation: 303
AWS CloudFormation - Correct Usage of Default Key Policy in AWS::KMS::Key
I am trying to deploy a KMS CMK with the default Key Policy. Per the documentation, if you don't specify a policy when creating a key, AWS uses the default key policy. However, when using CloudFormation, the Property KeyPolicy is required. Anyone know how to specify the default policy in the KeyPolicy statement or am I missing something?
I am trying to create an AWS::KMS::Key resource, per the documentation there should be the ability to use the default key policy as the KeyPolicy property, however, as the documentation states:
If you are unsure of which policy to use, consider the default key policy. This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide.
Unfortunately, the KeyPolicy resource is marked as having a Required value, while using the default key policy explicitly calls for passing no value. How can I use the default key policy in the KeyPolicy Property when it requires a value to be passed?
Upvotes: 2
Views: 1852
Answers (1)
Reputation: 303
After more research on this, it appears the correct way to handle this is to pass the equivalent of the what the default key policy imposes into the actual CloudFormation property.
Consider the following documentation on default key policy:
The following default key policy statement is critical.
It gives the AWS account that owns the KMS key full access to the KMS key.
Unlike other AWS resource policies, a AWS KMS key policy does not automatically give permission to the account or any of its users. To give permission to account administrators, the key policy must include an explicit statement that provides this permission, like this one.
It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
Without this permission, IAM policies that allow access to the key are ineffective, although IAM policies that deny access to the key are still effective.
It reduces the risk of the key becoming unmanageable by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
The following key policy statement is the entire default key policy for KMS keys created programmatically. It's the first policy statement in the default key policy for KMS keys created in the AWS KMS console.
The last line, in particular, reveals the answer:
The following key policy statement is the entire default key policy for KMS keys created programmatically. It's the first policy statement in the default key policy for KMS keys created in the AWS KMS console.
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
Therefore, because the KeyPolicy field in a CloudFormation AWS::KMS::Key is required, to pass in the Default Key Policy, you need to submit the above code block that would normally be created for you (if you called the KMS API without an explicit KeyPolicy).
Upvotes: 4
Related Questions
- The new key policy will not allow you to update the key policy in the future
- Cloudformation KeyValuePair List as a parameter
- AWS Cloudformation Default keypair for ec2
- CloudFormation refusing to create AWS::KMS::Key with least privilege
- Declaring an IAM Access Key Resource by CloudFormation
- CloudFormation Template doesnt pick KeyPair
- Grant usage of default KMS keys to IAM Roles with CloudFormation
- How to get an AWS KMS Key Arn and pass it in IAM role inline policy by CloudFormation?
- Dynamodb - Cloudformation specifying KMS Key
- What is the valid syntax for a KMS Key Policy to avoid MalformedPolicyDocument errors?