By using AWS re:Post, you agree to the AWS re:Post Terms of Use

KMS Key policy ignored over IAM Role

0

I have a "poweruseraccess" policy applied to a "Developer" role in my account that is used by multiple users. This role allows access to AWS resources, as such anyone with this role can encrypt/decrypt using keys in KMS. I want to restrict encryption/decryption actions on a particular kms key. For this, I added a deny section to the default kms policy on this specific key as below. This denies encrypt/decrypt action to any principal except if their userid is the root (12345) or specific role AROAADMINROLE (account admins), AROALAMBDAROLE (captures assumerole) and an IAM user AIDAMYIAMUSER. In spite of this explicit deny section, the users with Developer role are still able to encrypt/decrypt with the key. Can someone please help me figure out the issue?

Similar policies works for restricting our S3 bucket access. I followed this article for building the policies. https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/ . It's the same principle for below policy by using wildcards and StringNotLike in conditions.

KMS policy

{
    "Id": "my-key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:user/my_iam_user"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ExplicitDenyEncryptDecryptAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "12345",
                        "AROAADMINROLE",
                        "AROAADMINROLE:*",
                        "AIDALAMBDAROLE:*",
                        "AIDALAMBDAROLE",
                        "AIDAMYIAMUSER:*",
                        "AIDAMYIAMUSER"
                    ]
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:user/my_iam_user",
                    "arn:aws:iam::12345:role/my_lambda_role"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Edited by: swatic on Aug 20, 2019 10:49 AM

asked 5 years ago1K views
1 Answer
1
Accepted Answer

Hi,
It appears that you just have a typo and are missing the Resource for you Deny Condition block.
Your policy should be changed to:

        {
            "Sid": "ExplicitDenyEncryptDecryptAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Resource": "*" ,
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "12345",
                        "AROAADMINROLE",
                        "AROAADMINROLE:*",
                        "AIDALAMBDAROLE:*",
                        "AIDALAMBDAROLE",
                        "AIDAMYIAMUSER:*",
                        "AIDAMYIAMUSER"
                    ]
                }
            }
        },

Hope this helps!
-randy

EXPERT
answered 5 years ago
profile picture
EXPERT
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions