You have a Jenkins server deployed in EC2
One Jenkins pipeline is used to build artifacts.
It needs to fetch some source files from an S3 bucket which is encrypted with a Customer Master Key (CMK) in KMS.
The pipeline was working fine.
However, it suddenly stopped working early this week.
You have found that the Jenkins task failed to decrypt the S3 data using the CMK.
Which one may be the cause of the failure?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Users should check if the IAM role can use the CMK in both the IAM policy and key policy.
At least there should be an allow in either policy, and there should not be any explicit deny.
Option A is incorrect: Because the Jenkins EC2 should use an IAM role instead of an IAM user.
IAM roles do not have the issue of token expire.
Option B is incorrect: Because the ViaService condition for EC2 service would allow the key usage for EC2 instances so that it should not cause the issue.
Option C is CORRECT: Because an explicit deny will disallow the key to be used by the Jenkins server.
That may be a cause of the failure.
Option D is incorrect: Because the kms:encryption allows in-service control policy (SCP) should not result in this failure.
The cause of the failure could be any of the options given, but the most likely one is C. The key policy of the CMK was recently modified with a deny for the IAM role that Jenkins EC2 is using.
Let's look at each option and see how it could cause the failure:
A. The secret access key and access key token have expired for the Jenkins EC2 IAM user. This could cause the pipeline to fail if the access keys are no longer valid. However, it would not affect the decryption of S3 data using the CMK.
B. The key policy of the CMK was added with a ViaService condition for EC2 service. This would restrict the use of the CMK to only EC2 instances that are launched by the EC2 service. However, since the Jenkins server is already launched and running, this change would not affect it. Therefore, this option is unlikely to be the cause of the failure.
C. The key policy of the CMK was recently modified with a deny for the IAM role that Jenkins EC2 is using. This is the most likely cause of the failure. If the key policy of the CMK is modified to deny the IAM role that Jenkins EC2 is using, then the decryption of S3 data using the CMK would fail. The Jenkins server would not have permission to use the CMK, and the pipeline would fail.
D. An SCP policy was added in the Organization which allows kms:encryption operation for EC2 resources. This option would allow the EC2 instance to perform KMS encryption operations. However, it would not affect the decryption of S3 data using the CMK. Therefore, this option is unlikely to be the cause of the failure.
In conclusion, option C is the most likely cause of the failure. It is recommended to review the key policy of the CMK to ensure that the IAM role used by Jenkins EC2 has the required permissions to use the CMK for decryption.