Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Valentine's Sale Extension - Get 20% OFF Any Reviewer. Use Coupon Code: CLOUD-DOJO

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty KMS default key policy :-(

  • KMS default key policy :-(

  • ray712

    Member
    December 10, 2022 at 10:45 pm

    It is a bit confusing for me and I need some helps :

    In the Dojo’s ebook Security speciality (page 93), it says :

    Either way, you should see the first statement of your default key policy similar to this:

    {
    “Sid”: “Enable IAM User Permissions”,
    “Effect”: “Allow”,
    “Principal”: {“AWS”: “arn:aws:iam::123456789123:root”},
    “Action”: “kms:*”,
    “Resource”: “*”
    }

    Take a look at the value of the Principal. At first glance, one could naturally assume that the policy is granting
    access to the root user. However, this is not the case.

    Keep in mind that the “root” does NOT pertain to the root
    user of the account.

    What it actually implies is that it allows IAM entities (e.g., IAM Users, IAM Roles) in
    123456789123 AWS Account to gain full access to the CMK.

    Simply put, the first statement is allowing IAM to
    further manage the permissions to your CMK.

    it actually implies is that it allows IAM entities (e.g., IAM Users, IAM Roles) in 123456789123 AWS Account to gain full access to the CMK” => I understood that any principal (users, roles) in the account has a full access to this KMS key.

    In the other hand, from this link, https://aws.amazon.com/premiumsupport/knowledge-center/kms-prevent-access/

    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::111122223333:root"
        },
        "Action": "kms:*",
        "Resource": "*"
    }

    In this example, the Effect and Principal elements don’t refer to the AWS root user account. The Amazon Resource Names (ARN) allows permissions to the KMS key with this IAM policy. Any principal in the AWS account 111122223333 has root access to the KMS key if the required AWS Key Management Service (AWS KMS) permissions are attached to the IAM entity.

    It means any principal (except root) has a a full a access ONLY IF the principal has an IAM policy (allow full acces) attached to the principal. Am I wrong ? (and it is an opposite explication of the Dojo’s ebook).

    ( it looks like that KMS policy does not work exactly like others resource policy ie S3 ).


    Thanks.

Viewing 1 of 1 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now