IAM Analyzer & ams/acm Key Policy

0

Following the announcement regarding the IAM Analyzer, I ran it in relevant regions and a 'finding' showed up for us-east-1. The transcript of the finding is here (I've removed my account number and tweaked the ARN):

[
  {
    "action": [
      "kms:Decrypt"
    ],
    "analyzedAt": "2019-12-03T16:50:47.000Z",
    "condition": {},
    "createdAt": "2019-12-03T16:32:58.000Z",
    "id": "32f520ad-4074-4535-9e68-9d1343bff519",
    "isPublic": false,
    "principal": {
      "AWS": "237498168996"
    },
    "resource": "arn:aws:kms:us-east-1:xxxxxxxxxxxx:key/99bba141-3014-46c3-8829-deadbeef",
    "resourceType": "AWS::KMS::Key",
    "status": "ACTIVE",
    "updatedAt": "2019-12-03T16:32:58.000Z"
  }
]

Two things are unclear. Firstly, where did that principal account number come from, it is nothing to do with me. And secondly, although clicking through the ARN link under Resource in the Findings detail takes me to the Customer Managed Keys section of KMS (breadcrumb link reads: KMS > Customer managed keys > Key ID: 99bba141-3014-46c3-8829-deadbeef) this isn't a CMK, it's an AWS managed key with the alias aws/acm and a key policy I can only view?

I believe the key policy itself to be safe as it has Condition restrictions to my account for all Allow entries, the 'finding' makes no sense when no other AWS managed keys are listed (and there are some in there) or that it isn't a CMK, it's an AWS managed key?!

Screenshot attached. Interested in any thoughts.

Robert.

已提问 5 年前380 查看次数
8 回答
1

Hello jfdurocher and rswift,

Thank you for reaching out to us and providing feedback. I'm happy to provide you with an understanding of why you saw the finding and why it was resolved.

The findings generated by IAM Access Analyzer for KMS keys are comprehensive and provide visibility into access allowed not just KMS key policies but also by a policy-equivalent configuration feature provided by KMS called KMS grants: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html. You might not see the accounts in question in your KMS key policy because the permissions are allowed by grants, which are not currently visible in the console. Similar to the case with https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html, there are certain AWS-owned accounts associated to specific AWS services that require permissions to take actions on behalf of customers. We have confirmed that the accounts that appeared in your findings are AWS-owned accounts belonging to AWS services and the access shared by the finding is intended for the functioning of the AWS service.

We have updated the analysis to ensure new findings from AWS-owned accounts are not flagged as Active findings and existing findings are automatically resolved. Hope this helps!

Thank you,
Ujjwal

profile pictureAWS
已回答 5 年前
0

I too have the exact same behavior from Access Analyser but with a different "Principal" unknown account that has nothing to do with me. Basically @rswift situation is a copy and paste of mine even with the AWS Managed key showing up as CMK.

已回答 5 年前
0

Fingers crossed this is a teething issue with the new service? I've trawled CloudTrail for every region and cannot find any reference to the policy creation from the time shown in the KMS console, it's a definite weirdy!?

I wonder if we've stumbled upon https://en.wikipedia.org/wiki/Five_Eyes accounts? 藍️‍♂️

已回答 5 年前
0

@rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.

Hoping it will be resolved for you too.

已回答 5 年前
0

jfdurocher wrote:
@rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.

Hoping it will be resolved for you too.

How peculiar? The finding is magically resolved for me too! I couldn't agree more, this seems to have lifted the AWS kimono just a little and we've seen underneath, their transparency isn't great given the key still exists but no longer links to a CMK, question is, was this a KMS issue that the Analyser uncovered, or an Analyser issue? If it is the former, then that feels more of an issue. But especially strange that we had different principals...

I 'm sure we'll never get an answer... 路‍♂️

已回答 5 年前
0

Thank you @ujjwal-aws for this explanation/update it is much appreciated.

已回答 5 年前
0

Closing this forum thread as answered. Happy to provide answers to follow-up questions.

profile pictureAWS
已回答 5 年前
0

Thank you for the follow up, much appreciated.

已回答 5 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容