I have a "poweruseraccess" policy applied to a "Developer" role in my account that is used by multiple users. This role allows access to AWS resources, as such anyone with this role can encrypt/decrypt using keys in KMS. I want to restrict encryption/decryption actions on a particular kms key. For this, I added a deny section to the default kms policy on this specific key as below. This denies encrypt/decrypt action to any principal except if their userid is the root (12345) or specific role AROAADMINROLE (account admins), AROALAMBDAROLE (captures assumerole) and an IAM user AIDAMYIAMUSER. In spite of this explicit deny section, the users with Developer role are still able to encrypt/decrypt with the key. Can someone please help me figure out the issue?
Similar policies works for restricting our S3 bucket access. I followed this article for building the policies. https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/ . It's the same principle for below policy by using wildcards and StringNotLike in conditions.
KMS policy
{
"Id": "my-key-consolepolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:user/my_iam_user"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "ExplicitDenyEncryptDecryptAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"12345",
"AROAADMINROLE",
"AROAADMINROLE:*",
"AIDALAMBDAROLE:*",
"AIDALAMBDAROLE",
"AIDAMYIAMUSER:*",
"AIDAMYIAMUSER"
]
}
}
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345:user/my_iam_user",
"arn:aws:iam::12345:role/my_lambda_role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
Edited by: swatic on Aug 20, 2019 10:49 AM