EBS with KMS CMK encryption

0

I created a Customer Managed Key (CMK) without specifying Key Administrators or Key User policies. However, I noticed that I can still attach this KMS-CMK to EBS volumes and perform read-write operations on them through an EC2 instance. I want to restrict this access so that only specific groups of people can administer this KMS-CMK, and the Key User policy should only allow EBS and S3 storage services to use these keys. Can someone help me with the policy for this? Also, I noticed that auto key rotation only allows rotation yearly, but I want to rotate the key material every 90 days. Is there a way to achieve this?

  • Please accept the answer if it was useful for you

1 Answer
2

To refine access to your Customer Managed Key (CMK) in AWS KMS for specific administrative actions and restrict its use to only EBS and S3 services, you'll need to modify the key policy. AWS Key Management Service (KMS) allows you to define who can administer and use the CMKs through key policies.

Adjusting the Key Policy Here's a simplified example of how you might adjust your key policy to meet these requirements. Remember, you'll need to replace placeholders like <YourAccountId> with your actual AWS account ID and <UserOrGroupArn> with the ARN(s) of the user(s) or IAM group(s) you want to grant permissions to:

{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<YourAccountId>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow administration of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "<AdminUserOrGroupArn>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "<UserOrGroupArnForEBSAndS3>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": [
            "ec2.<Region>.amazonaws.com",
            "s3.<Region>.amazonaws.com"
          ]
        }
      }
    }
  ]
}

This policy allows specified administrators to manage the key while restricting its usage to EBS and S3 services through the kms:ViaService condition. Ensure you update <Region> to match your AWS region.

Key Rotation Every 90 Days Regarding key rotation, AWS KMS supports automatic rotation only once a year and doesn't offer an out-of-the-box solution for more frequent rotations. If you need to rotate keys every 90 days, you'll have to implement a custom solution. This could involve using AWS Lambda functions triggered by Amazon CloudWatch Events (or Amazon EventBridge) to call the CreateKey and UpdateAlias API operations to create a new CMK and update the alias to point to the new CMK every 90 days.

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
Artem
reviewed a month ago
  • Regarding rotation frequency, stay tuned!

  • Thanks for quick help. As per my understanding, In AWS, Customer Managed Keys (CMKs), also known as Key Management Service (KMS) keys, are essentially Key Encryption Keys (KEKs) used for encrypting and decrypting Data Encryption Keys (DEKs). It's observed that AWS doesn't offer full control to customers for rotating keys as immediately as Azure does. While attempting to update an existing alias to point to a new key, I noticed that the process merely attaches or points the alias to the new keyID without affecting the current key. However, at the level of Elastic Block Store (EBS) volumes, the KMS KeyID remains unchanged, still referencing the old KMS key without alias (since alias moved to new keyid) even after waiting for over an hour. If I'm missing a step or doing something incorrectly, could you guide me through the correct procedure?

    And, I'm unsure, Even if AWS automatically rotates the KMS key annually, does the updated key automatically reflect in services like EBS and S3, or is manual updating required?

    I used below az cli command to update alias. aws kms update-alias --alias-name alias/Key04 --target-key-id xxxxx-xxxxx-xxxxx-xxxx

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions