AWS KMS ECC keys access control

Question

Is it in any way possible to restrict AWS KMS signing operation with a EC private key to a particular AWS Nitro Enclave? That is, make is such that only the enclave with a given PCR hash is capable/allowed to call kms:Sign on a certain key.

This sounds like something that the EC key's kms:RecipientAttestation:ImageSha384 condition policy should handle, but based on the doc, this policy is only applicable to Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, and GenerateRandom operations... Or am I missing something?

Answer 1

Correct, according to the doc, you cannot use the Nitro Enclaves IAM Conditions for kms:Sign. There are a couple paths forward here that might be appropriate depending on your use case:

1. Rather than use a KMS-managed asymmetric keypair, use the asymmetric data keys from GenerateDataKeyPair (see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs for docs on using this key for signing).
2. Rather than use a KMS-managed asymmetric keypair, generate your own keypair and encrypt it using a KMS-managed symmetric key (similar to 1, but with your own key generation).

In both of these cases, you will use the kms:RecipientAttestation to restrict access to the kms:Decrypt operation, that is needed to decrypt the private key. You can use the same pattern to deliver any secret to a Nitro Enclave.

The downside here is that you will no longer be able to use kms:GetPublicKey since the keypair is not managed by KMS, and you will need a new way for clients to get the public key. If kms:GetPublicKey is required, then there is a third option that may work eventually:

3. File a feature request with the AWS team :)