AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

Controlling access to KMS keys using aliases fails

0

I'm trying to control access to KMS keys based on their alias with a policy, following the guidance here.

I want the policy to:

  • Allow general access to kms operations for unrestricted keys
  • Deny all access to keys that are restricted (have an alias matching restricted)

Here is my attempt:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAll",
      "Effect": "Allow",
      "Action": ["kms:*"],
      "Resource": "*",
    },
    {
      "Sid": "DenyKMSForProduction",
      "Effect": "Deny",
      "Action": ["kms:*"],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "kms:RequestAlias": [
            "alias/*restricted*",
            "alias/*RESTRICTED*"
          ],
          "kms:ResourceAliases": [
            "alias/*restricted*",
            "alias/*RESTRICTED*"
          ]
        }
      }
    }
  ]
}

However, when I test this policy with the IAM policy simulator, it fails.

  • Access to kms keys that have an alias with restricted are allowed, even if I pass in a request alias or resource alias in this simulator
  • In my understanding of evaluation logic, any deny statement will be evaluated first, so operations to the key with the restricted alias should be denied
  • And even if I review the Allow * sid, it still only fails with an implicit deny, not an explicit deny

Is this a limitation with the simulator, or an issue with my policy?

1回答
1
承認された回答

The following example IAM policy statement allows the principal to enable and disable KMS keys but only when all aliases of the KMS keys include "Test." This policy statement uses two conditions. The condition with the ForAllValues set operator requires that all aliases associated with the KMS key include "Test". The condition with the ForAnyValue set operator requires that the KMS key have at least one alias with "Test." Without the ForAnyValue condition, this policy statement would have allowed the principal to use KMS keys that had no aliases.

{
  "Sid": "AliasBasedIAMPolicy",
  "Effect": "Allow",
  "Action": [
    "kms:EnableKey",
    "kms:DisableKey"
  ],
  "Resource": "arn:aws:kms:*:111122223333:key/*",
  "Condition": {
    "ForAllValues:StringLike": {
      "kms:ResourceAliases": [
        "alias/*Test*"
      ]
    },
    "ForAnyValue:StringLike": {
      "kms:ResourceAliases": [
        "alias/*Test*"
      ]
    }
  }
}
AWS
回答済み 2年前
profile picture
エキスパート
レビュー済み 4ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ