We have a number of SecureString SSM Parameter Store values created via our bash script automations. These are encrypted with an environment-specific KMS key + Alias created via CloudFormation.
Also in the templates are IAM Roles for our EC2 instances, which need to allow retrieval and decryption of the SSM parameters. To allow this we granted access to those IAM Roles upon KMS key creation by referencing their role ARNs as principles.
However, we have some non-environment-specific SSM variables on our AWS account that persist outside of our environment CloudFormation stacks and are used by all environments.
We have recently adapted those parameters to be encrypted with the default KMS key -- alias/aws/ssm.
This approach causes an issue in regards to automation, as we need to grant usage of the default KMS key to our IAM Roles in CloudFormation. I've read the AWS documentation and cannot figure out a way of doing this.
Has anyone managed to automate this?
The default KMS key alias/aws/ssm is an AWS managed CMK. We cannot establish IAM policies or KMS key policies for AWS Managed CMKs.
Excerpt from AWS KMS FAQ,
AWS will manage the policies associated with AWS managed CMKs on your
behalf. You can track AWS managed keys in your account and all usage
is logged in AWS CloudTrail, but you have no direct control over the
keys themselves.
You don't have worry about defining IAM roles for accessing alias/aws/ssm key, having access to the required SSM parameter is sufficient.
Related
I am trying to create a terraform script which is creating AWS IAM user with secret key and access key id. Same script is also creating AWS EC2.
now where I am getting stuck is in to set those keys in ~/.aws/credential file(like aws configure does) in EC2.
What you're trying to do is not the recommended solution. If you want to grant any access to your EC2 instances then do so via IAM Roles rather than keys. You have to attach a Role with permissions to your EC2 and it can call other services same like it would do from AWS profile (using keys).
Reference to how to achieve this in Terraform: https://skundunotes.com/2021/11/16/attach-iam-role-to-aws-ec2-instance-using-terraform/
I have a use case where a kms key would be used to encrypt and decrypt data . how can I make sure that only the specific lambda should be able to use the kms key from AWS polices .
I tried adding Lambda ARN in kms key policies while creating, but looks like its not allowed to do the same .
how can I achieve my use case ?
Here are the steps:
Create an IAM Role for Lambda without any permissions attached.
Select the same for Define key usage permissions while creating the key.
Attach the IAM Role to the Lambda.
Start using the KMS Key in the Lambda.
As per the AWS KMS documentation
The default key policy that the console creates for symmetric CMKs allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
What I want to do is attach an EC2 instance to an IAM group and give that group access to keys for an S3 bucket in CKMs.
What's the best way to do this?
When you create a Customer Master Key (CMK), you define a key policy that dictates who can manage and/or use the CMK. Specifically, you can configure the key policy to enable access to the CMK from IAM users and IAM roles in the account. The latter, IAM roles, is what you would use to confer these rights to an EC2 instance.
I am trying to configure jboss to use AWS IAM Roles for accessing S3 and SQS. All of the documentation I've seen uses static access and secret keys rather than the dynamic keys that roles allow for.
Is there any documentation on doing this?
Create an EC2 instance assigning that Role. Whatever you run any app in that instance will be able to access the AWS resources.
This way you don't need to write any code for security within the application.
Also in your code you don't need to supply any credentials when you assign the role to the EC2 instance.
In AWS there are two approaches to provide permission using AWS IAM to your code to access AWS resources such as S3 and SQS.
If your code runs in Amazon Compute Services such as EC2, Lambda it is recommended to create a IAM Role with required policies to access S3 & SQS also allowing the Compute Service (EC2, Lambda) to assume that role (Using Trust Relationships). After attaching this role, either to EC2 or Lambda, you can directly use AWS SDK to access S3 and SQS without needing any credentials or access tokens to configure for SDK.
For more information, see Using an IAM Role to Grant Permissions to
Applications Running on Amazon EC2 Instances.
If your code runs on premise or external to the Amazon infrastructure, you need to create a IAM user with required policies and also create access keys (Access Key ID & Secret Key) and initialize SDK to allow access to S3 or SQS as shown below.
var AWS = require('aws-sdk');
AWS.config.credentials = new AWS.Credentials({
accessKeyId: 'akid', secretAccessKey: 'secret'
});