Questions tagged with AWS Key Management Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I run lambdas in a multi account context. I have lambdas in A,B,C account and they pull images from an ECR into an account D. On account D there is a Client Managed Key (KMS), used by the ECR and allowed for USE in cross account context. - Roles used by the lambdas are allowed to use KMS with right arn KMS - KMS Key Policy allow usage in cross account context - Lambdas are allowed to pull images in cross account context - ECR allow pull images from cross account context I use cloud formation to deploy theses objects and there is no problem with that. Lambdas work fines until next point. If i use "aws lambda update-function-code" to update the image, i run into this problem: `"Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings. KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."` I m not able to resolve this problem without erasing all the previous stack created and recreate it from start but still impossible to use "update-function-code" without breaking all lambdas.
1
answers
0
votes
22
views
asked 9 days ago
We are trying to restore a snapshot of a redshift cluster from one account into a new account. Accounts are unlinked. Snapshot process and copy works fine. When we try to restore the snapshot on the new account it is requiring access to to the Redshift KMS key from the source account. *The source cluster for this snapshot is encrypted. When you restore, the target database will be encrypted as well. You can't unencrypt the data as part of the restore operation. After you restore, you can change encryption settings.* Here it is prompting for access to the source key. I am not sure how, or if it is possible to give the new/destination account or my user access to the key from the old source account. The source Redshift cluster uses a AWS managed aws/redshift key from the source account. We want to bring the whole snapshot, redshift users and all, not just the data.
2
answers
0
votes
38
views
asked 17 days ago
Currently we have Failover Routing Policy configured in Route53. We have S3 replication enabled and DynamoDB global tables as well. If we are performing BYOK migration in Primary region and allow customer traffic only to Secondary region, if records are created in S3 and DynamoDB global tables, these will be replicated to Primary region as well. Will it create any issues in Primary region S3 and DynamoDB tables when migration is going on? Could you please share any other recommendations or best practices for such a migration in active-passive environments.
1
answers
0
votes
12
views
asked 18 days ago
I created a SecureString parameter in AWS Systems Manager Parameter Store. It uses the default KMS key for encryption/decryption. I also created an association in State Manager to run "AWS-RunPowerShellScript" using the command "Net.exe user administrator {{ssh:<name of my parameter>}}" to have State Manager update the password across all of my associated Windows EC2 instances. However, the update only works when I reference a String parameter but does NOT work when I reference a SecureString parameter. Any ideas why I can't reference a SecureString parameter? How do I reference a SecureString parameter in this State Manager association?
1
answers
0
votes
31
views
asked 18 days ago
Hi, when trying to delte my hosted zones, i get this error "Error occurred Bad request. (InvalidKeySigningKeyStatus 400: Key Signing Key with name datalabsai cannot be deleted because current status is not INACTIVE. You can use DeactivateKeySigningKey to deactivate the Key Signing Key before you delete it.)" I followed each step in the documentation but I am still not able to delete the hosted zone. Any solution???
1
answers
0
votes
20
views
asked 20 days ago
When the customer tries to pay an invoice using their Bank Account South Indian bank is not on the list. Is this Bank supported for AWS payments?
1
answers
0
votes
23
views
Brent
asked 23 days ago
Hi, I'm trying to use aws_s3.table_import_from_s3 to read data stored in a separate account, but the GetObject call is failing. If I reproduce the issue from the CLI, I get the following error: The ciphertext refers to a customer ma$ter key that does not exist, does not exist in this region, or you are not allowed to access. Reading between the lines, I'm guessing that the aws_s3 extension automatically uses the customer ma$ter key to encrypt files at rest, but this behaviour isn't described anywhere in the docs. I don't have encryption enabled by default on the bucket. IS this just a completely unsupported scenario? Also, bizarrely, the content policy here doesn't let me use the word "ma5ter" because it's not "inclusive". Absurd.
0
answers
0
votes
25
views
asked 25 days ago
Hey, I'm working on a solution that I want to propose to my customer for a move to cloud project. They want to start with a small of services and cost on AWS. So I have to start to land the applications in AWS with limited services. For encryption purpose, I'll start with AWS KMS only at the beginning with a dedicated CMK for each application and each related AWS service. But the customer want to possess the key material for the new step of the project. That's why I suggest to bring CloudHSM with AWS KMS. However, I don't know what can be the impact of this new encryption services combination, on the existing keys, backed up keys, ...? Do you have any suggestion? Regards Fatih
1
answers
0
votes
32
views
Fatih
asked a month ago
All - if I compare the two choices in the title the aws-encryption-cli and the aws cli within the kms group of commands they seem to overlap. In other words - strictly from a command line perspective I can encrypt and decrypt using the AWS CLI - so is there a reason to use the aws-encryption-cli which requires an additional install rather than aws kms encrypt/decrypt?
2
answers
0
votes
47
views
asked a month ago
I'm trying to control access to KMS keys based on their alias with a policy, following the guidance [here](https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html). I want the policy to: - Allow general access to kms operations for unrestricted keys - Deny all access to keys that are restricted (have an alias matching *restricted*) Here is my attempt: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAll", "Effect": "Allow", "Action": ["kms:*"], "Resource": "*", }, { "Sid": "DenyKMSForProduction", "Effect": "Deny", "Action": ["kms:*"], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "kms:RequestAlias": [ "alias/*restricted*", "alias/*RESTRICTED*" ], "kms:ResourceAliases": [ "alias/*restricted*", "alias/*RESTRICTED*" ] } } } ] } ``` However, when I test this policy with the IAM policy simulator, it fails. - Access to kms keys that have an alias with restricted are allowed, even if I pass in a request alias or resource alias in this simulator - In my understanding of [evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html), any deny statement will be evaluated first, so operations to the key with the restricted alias should be denied - And even if I review the Allow * sid, it still only fails with an implicit deny, not an explicit deny Is this a limitation with the simulator, or an issue with my policy?
1
answers
0
votes
36
views
asked a month ago
I have work on third-party message provide ( SendGrid ) with Cognito. for sending otp to user email whenever user signup or forget pass, ..etc, like this. here I am facing one issue. ``` "Error: Unable to decrypt data key and one or more KMS CMKs had an error. ", " Error #1 ", " AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.", ``` **i am not able to decrypt the t cognito secret code ** ![Error for decode](/media/postImages/original/IMYxhj7FtURJSVf3g1YwFbzQ) i am writing my code following this blog: https://blog.xiggit.com/blog/how-we-use-customer.io-to-send-custom-welcome-emails-through-cognito https://www.thelambdablog.com/how-to-decrypt-aws-cognito-generated-temporary-codes-in-a-custom-sender-lambda-with-a-kms-key/ so, my quiz is: how to create **IAM role** + **KMS ** for decrypting Cognito code-parameter. please anyone help me. thanks ```js const AWS = require("aws-sdk") const b64 = require("base64-js") const encryptionSdk = require("@aws-crypto/client-node") const env = require("./config/environment.js") const { encrypt, decrypt } = encryptionSdk.buildClient( encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT ) const generatorKeyId = env.KMS_KEY_ALIAS const keyIds = [env.KMS_KEY_ID] const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds }) exports.handler = async (event) => { const { plaintext, messageHeader } = await decrypt( keyring, b64.toByteArray(event.request.code) ) console.log(event) console.log("---------") console.log(event.request.code) console.log("otp code: " + plaintext) console.log("messageHeader: " + messageHeader) let triggerSource = event.triggerSource let email = event.request.userAttributes.email return }```
0
answers
0
votes
29
views
asked a month ago
Hi, I'm developping a node js site in EB and inside i use Google API. For this i have a large private key ``` -----BEGIN PRIVATE KEY-----\nihriohioerhfierjfirejfi=\n-----END PRIVATE KEY-----\n ``` I tried to store it inside environment variable but it's limited with 256 characters. EC2 key pair value has the same size limit So my question is: Where do i have to store this key and how can i use it inside my node js app? I found this link but i'm not sure if it's the right way and it's not enough explain (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html) Thanks for your help
1
answers
0
votes
33
views
asked 2 months ago