AWS Key Policy Best Practices

Restricting Grant Creation to Integrated AWS Services

Question

As a Cloud Security Engineer, you perform a security audit of AWS services that your company is using.

You have found that for customer master keys(CMKs) in KMS, the key policies are too open, allowing almost all services or users to use them.

Take below key policy as an example: { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/John" }, "Action": "kms:CreateGrant", "Resource": "*" } The user John can create grants on the key without any restriction.

You want to create a condition in the key policy to ensure that the grant should only be created by integrated AWS services rather than the user himself.

How should you achieve that?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because kms: ViaService limits the use of a CMK to requests from specified AWS services.

It cannot work with the action of kms: CreateGrant.

Option B is CORRECT because when kms: GrantIsForAWSResource is true, only integrated AWS services can create grants.

Option C is incorrect because kms: KeyOrigin is used to control access to the CreateKey action based on the Origin parameter in the request.

Valid values for Origin are AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.

Option D is incorrect because kms: GranteePrincipal can control access to the CreateGrant operation.

CreateGrant is allowed only when the GranteePrincipal parameter in the request matches that in the condition.

It is not suitable for this scenario.

For more information, kindly refer to the below URL.

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource.

The correct answer to this question is A. Add the below condition in the key policy: "Condition": {"Bool": {"kms:ViaService": true}}.

Explanation:

The AWS Key Management Service (KMS) is a managed service that enables you to create and manage the encryption keys used to encrypt your data. The customer master key (CMK) is a cryptographic key that you use to encrypt and decrypt data. You can create a CMK in KMS and use it to encrypt and decrypt up to 4 KB of data.

The key policy is a document that determines who can use the CMK and what they can do with it. In this case, the key policy is too open, allowing almost all services or users to use the key.

To ensure that only integrated AWS services can create grants on the key, you need to add a condition to the key policy. The "kms:ViaService" condition key limits access to the specified AWS services that are integrated with KMS. If the request is made by an AWS service that is not integrated with KMS, the request is denied.

Therefore, the correct answer is to add the following condition to the key policy:

"Condition": {"Bool": {"kms:ViaService": true}}

Option B ("kms:GrantIsForAWSResource": true) is incorrect because it restricts the grant to AWS resources only, not services.

Option C ("kms:KeyOrigin": true) is incorrect because it limits the use of the key to a specific key origin.

Option D ("kms:GranteePrincipal": true) is incorrect because it limits the use of the key to a specific grantee principal.