Key Policies - AWS Key Management Service Best Practices

Key Policies

Key policies are the primary way to control access to CMKs in AWS KMS. Each CMK has a key policy attached to it that defines permissions on the use and management of the key. The default policy enables any principals you define, as well as enables the root user in the account to add IAM policies that reference the key. We recommend that you edit the default CMK policy to align with your organization’s best practices for least privilege. To access an encrypted resource, the principal needs to have permissions to use the resource, as well as to use the encryption key that protects the resource. If the principal does not have the necessary permissions for either of those actions, the request to use the encrypted resource will be denied.

It’s also possible to constrain a CMK so that it can only be used by specific AWS services through the use of the kms:ViaService conditional statement within the CMK key policy. For more information, see the AWS KMS Developer Guide.

To create and use an encrypted Amazon Elastic Block Store (EBS) volume, you need permissions to use Amazon EBS. The key policy associated with the CMK would need to include something similar to the following:

{ "Sid": "Allow for use of this Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "*" }, { "Sid": "Allow for EC2 Use", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "" } } }

In this CMK policy, the first statement provides a specified IAM principal the ability to generate a data key and decrypt that data key from the CMK when necessary. These two APIs are necessary to encrypt the EBS volume while it’s attached to an Amazon Elastic Compute Cloud (EC2) instance.

The second statement in this policy provides the specified IAM principal the ability to create, list, and revoke grants for Amazon EC2. Grants are used to delegate a subset of permissions to AWS services, or other principals, so that they can use your keys on your behalf. In this case, the condition policy explicitly ensures that only Amazon EC2 can use the grants. Amazon EC2 will use them to re-attach an encrypted EBS volume back to an instance if the volume gets detached due to a planned or unplanned outage. These events will be recorded within AWS CloudTrail when, and if, they do occur for your auditing.

When developing a CMK policy, you should keep in mind how policy statements are evaluated within AWS. This means that if you have enabled IAM to help control access to a CMK, when AWS evaluates whether a permitted action is to be allowed or denied, the CMK policy is joined with the IAM policy. Additionally, you should ensure that the use and management of a key is restricted to the parties that are necessary.