Home › Forums › AWS › AWS Certified Security – Specialty › KMS default key policy :-(
-
KMS default key policy :-(
-
It is a bit confusing for me and I need some helps :
In the Dojo’s ebook Security speciality (page 93), it says :
Either way, you should see the first statement of your default key policy similar to this:
{
“Sid”: “Enable IAM User Permissions”,
“Effect”: “Allow”,
“Principal”: {“AWS”: “arn:aws:iam::123456789123:root”},
“Action”: “kms:*”,
“Resource”: “*”
}Take a look at the value of the Principal. At first glance, one could naturally assume that the policy is granting
access to the root user. However, this is not the case.Keep in mind that the “root” does NOT pertain to the root
user of the account.What it actually implies is that it allows IAM entities (e.g., IAM Users, IAM Roles) in
123456789123 AWS Account to gain full access to the CMK.Simply put, the first statement is allowing IAM to
further manage the permissions to your CMK.“it actually implies is that it allows IAM entities (e.g., IAM Users, IAM Roles) in 123456789123 AWS Account to gain full access to the CMK” => I understood that any principal (users, roles) in the account has a full access to this KMS key.
In the other hand, from this link, https://aws.amazon.com/premiumsupport/knowledge-center/kms-prevent-access/
{ "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }
In this example, the Effect and Principal elements don’t refer to the AWS root user account. The Amazon Resource Names (ARN) allows permissions to the KMS key with this IAM policy. Any principal in the AWS account 111122223333 has root access to the KMS key if the required AWS Key Management Service (AWS KMS) permissions are attached to the IAM entity.
It means any principal (except root) has a a full a access ONLY IF the principal has an IAM policy (allow full acces) attached to the principal. Am I wrong ? (and it is an opposite explication of the Dojo’s ebook).
( it looks like that KMS policy does not work exactly like others resource policy ie S3 ).
Thanks.
Log in to reply.