I have a use case where a kms key would be used to encrypt and decrypt data . how can I make sure that only the specific lambda should be able to use the kms key from AWS polices .
I tried adding Lambda ARN in kms key policies while creating, but looks like its not allowed to do the same .
how can I achieve my use case ?
Here are the steps:
Create an IAM Role for Lambda without any permissions attached.
Select the same for Define key usage permissions while creating the key.
Attach the IAM Role to the Lambda.
Start using the KMS Key in the Lambda.
As per the AWS KMS documentation
The default key policy that the console creates for symmetric CMKs allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.
Related
I have a s3 bucket structure like..
device1/01
device2/01
device3/01
Each device has their own KMS key. I used boto3 to create structure and encryption.
s3_client.put_object(
Body="Hello world",
Bucket='MyBucket',
Key="device1/01",
ServerSideEncryption='aws:kms',
SSEKMSKeyId='device1_kms_key_id'
)
Now if I keep using this put_object() with different KMS, will s3 policy get updated and have all KMS's access automatically?
It's the Kms policy that needs to be updated so that you have access to the kms operations the you need for the specific keys.
Alternatively the iam policy could be updated to provide you access to the keys.
The s3 resource policy is unrelated.
None of this happen automatically.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-default-encryption/
We have a number of SecureString SSM Parameter Store values created via our bash script automations. These are encrypted with an environment-specific KMS key + Alias created via CloudFormation.
Also in the templates are IAM Roles for our EC2 instances, which need to allow retrieval and decryption of the SSM parameters. To allow this we granted access to those IAM Roles upon KMS key creation by referencing their role ARNs as principles.
However, we have some non-environment-specific SSM variables on our AWS account that persist outside of our environment CloudFormation stacks and are used by all environments.
We have recently adapted those parameters to be encrypted with the default KMS key -- alias/aws/ssm.
This approach causes an issue in regards to automation, as we need to grant usage of the default KMS key to our IAM Roles in CloudFormation. I've read the AWS documentation and cannot figure out a way of doing this.
Has anyone managed to automate this?
The default KMS key alias/aws/ssm is an AWS managed CMK. We cannot establish IAM policies or KMS key policies for AWS Managed CMKs.
Excerpt from AWS KMS FAQ,
AWS will manage the policies associated with AWS managed CMKs on your
behalf. You can track AWS managed keys in your account and all usage
is logged in AWS CloudTrail, but you have no direct control over the
keys themselves.
You don't have worry about defining IAM roles for accessing alias/aws/ssm key, having access to the required SSM parameter is sufficient.
Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
I have a use case, where an IAM user in Account-A has access to files in an S3 bucket in Account-B.
I want to access these files from a Lambda function in Account-A.
Do I need to mention the credentials of IAM user while accessing the files? Is there any other alternative to that?
You can associate an IAM Role with an AWS Lambda function. When the function runs, it uses the permissions associated with that IAM Role.
If your Lambda function is running in Account-A and it needs to access Amazon S3 objects in Account-B, there are two options:
Option 1: Add a Bucket Policy to the bucket in Account-B that permits the IAM Role to access the objects, or
Option 2: Add an IAM Role in Account-B that has access to the bucket and give permission for the Lambda function to assume the role. The Lambda function will then have temporary credentials to access the bucket.
The fact that you have an IAM User that has access to the objects in Amazon S3 does not help in this situation, since the Lambda function obtains its permissions from an IAM Role, not an IAM User.
The best way to do this is to create a Lambda execution role in Account-A with any permissions the function needs, such as assuming a cross-account role in Account-B. In most situations if Account-B was willing to grant permissions to an IAM user in Account-A, they should be fine with providing an IAM role with similar permissions for you to assume. This is much safer than using an IAM access key as there are no permanent credentials to leak, only temporary credentials that will expire after a maximum of 12 hours.
If for whatever reason you can't get anything to be changed in Account-B, you could use your existing user directly. The simplest way to do this would involve hard coding the access key ID and secret access key into your Lambda, but this introduces a lot of problems from a secrets management perspective. Now if your code is leaked, the data in Account-B's bucket would be compromised. AWS Secrets Manager is a decent native option for storing the keys outside of your code, but will require learning some API calls to incorporate it into your function.
What I want to do is attach an EC2 instance to an IAM group and give that group access to keys for an S3 bucket in CKMs.
What's the best way to do this?
When you create a Customer Master Key (CMK), you define a key policy that dictates who can manage and/or use the CMK. Specifically, you can configure the key policy to enable access to the CMK from IAM users and IAM roles in the account. The latter, IAM roles, is what you would use to confer these rights to an EC2 instance.