16 May, 2021 Kennedy Kincaid 0 Comments 5 categories

Key policies and access management

Key policies in KMS are JSON documents that define who has what kind of access to a specific key. Let’s explore some advanced access management techniques.

Cross-account access

KMS allows for cross-account access to CMKs, enabling scenarios where resources in one AWS account might need to decrypt data that’s been encrypted by another account. This is often used in multi-account AWS architectures, facilitating secure data sharing across different parts of an organization.

Here is a key policy example that restricts access to an encryption key in a local AWS account, 111111111111, to a specific user in another AWS account, 222222222222:
{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Sid”: “AllowEncryptDecryptCrossAccount”,
      “Effect”: “Allow”,
      “Principal”: {“AWS”: “arn:aws:iam::222222222222:user/user1”},
      “Action”: [
        “kms:Encrypt”,
        “kms:Decrypt”
      ],
      “Resource”: “arn:aws:kms:us-east-1:111111111111:key/MyKey”
    }
  ]
}

While cross-account access is beneficial for resource sharing, it comes with its own set of risks. For instance, if the external account is compromised, it could lead to unauthorized access to your resources. Therefore, it is crucial to implement additional security measures, such as requiring MFA, for cross-account access.

ABAC policies

As discussed in Chapter 3, attribute-based access control (ABAC) is an access control model that allows you to grant permissions based on both identities and resource attributes. This strategy can also be implemented in KMS to control access to encryption keys. This allows for more granular control by enabling permissions based on attributes. For example, you can set up a key policy that only allows users or roles with a specific tag value to decrypt data using the key with the same tag value:
{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Sid”: “AllowEncryptDecryptWithTagMatch”,
      “Effect”: “Allow”,
      “Principal”: “*”,
      “Action”: [
        “kms:Encrypt”,
        “kms:Decrypt”
      ],
      “Resource”: “*”,
      “Condition”: {
        “StringEqualsIfExists”: {
          “aws:RequestTag/Department”: “${aws:PrincipalTag/Department}”
        }
      }
    }
  ]
}

Category: Advanced IAM policy use cases, Certifications of Microsoft, Data protection in key AWS services, Managing cryptographic keys, Microsoft AWS Exams

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts