Understanding Grants in AWS KMS

Introduction

Grants provide a flexible way to manage access to our KMS keys without directly altering our key or IAM policies. Let's dive into what grants are, how they work, and how we can use them effectively.

What Are Grants?

In AWS KMS, a grant is essentially a way to give temporary permissions to AWS KMS keys. These permissions can be granted to other AWS accounts and IAM Users and Roles within our AWS account. The permissions specified in a grant can range from key operations like encrypting and decrypting data to signing and verifying digital signatures and even creating more grants.

Key Points about Grants:

• Each grant is specific to one AWS KMS key and can include one or more IAM principals (users or roles).
• The operations that a principal can perform are defined within the grant itself.
• Grants do not expire automatically; they must be manually deleted when they are no longer needed.
• Using grants means we do not have to modify the KMS Key Policy or IAM Policy directly.

Use Cases of AWS KMS Grants

Grants are particularly useful when temporary access to KMS keys is needed.

This feature is often used by AWS services themselves to manage encrypted data. For example, when a service like Amazon EBS or Amazon Redshift needs to encrypt data at rest, it creates a grant to use the necessary KMS key, performs the encryption, and then retires the grant once the operation is complete. When using AWS services that integrate with KMS, such as attaching an encrypted EBS volume to an EC2 instance or launching an encrypted Amazon Redshift cluster, a custom KMS Key Policy is often necessary. This policy allows these AWS services to create and manage grants for their operations, ensuring that they can manage or use encrypted resources securely and efficiently.

Creating and Managing KMS Key Grants

Creating a Grant

We typically create a grant using the AWS Command Line Interface (CLI). While AWS Management Console is a go-to for many tasks, it currently does not support creating grants directly.

The aws kms create-grant command allows us to create a new grant for an AWS KMS key. When we execute aws kms create-grant, we're essentially specifying who can use the KMS key and what actions they are allowed to perform with it. Here's a brief overview of how the command works and some of the key parameters you might use:

Syntax:
aws kms create-grant \
--key-id <value> \
--grantee-principal <value> \
--operations <value> \
[other optional parameters]
Parameters

• --key-id (string): The unique identifier for the KMS key. You can use the key ID, key ARN (Amazon Resource Name), alias name, or alias ARN.
• --grantee-principal (string): The principal that is being given permission to use the KMS key. This can be an AWS account ID, IAM role, or IAM user.
• --operations (list): The list of operations that the grantee is allowed to perform. This can include actions like Encrypt, Decrypt, Sign, Verify, and others.

There are additional parameters we can include, such as --retiring-principal (the principal that has the permission to retire the grant) and conditions under which the grant is effective.

Example:
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/ExampleUser \
--operations Encrypt Decrypt \
--name "ExampleGrant"

This command creates a grant for the KMS key identified by 1234abcd-12ab-34cd-56ef-1234567890ab, allowing the user ExampleUser in the account 123456789012 to perform Encrypt and Decrypt operations. The --name parameter is optional and can be used to assign a friendly name to the grant for easier management.

Deleting a Grant

Remembering to delete a grant when it's no longer required is crucial. Since grants do not expire independently, failing to delete them can leave unnecessary access permissions in place, potentially creating a security risk.

The aws kms revoke-grant command is used to revoke a grant, effectively removing the permissions granted to a principal. By revoking a grant, we ensure that the principal can no longer perform the actions specified in the grant, thus adhering to the principle of least privilege and reducing potential security risks.

Syntax:
aws kms revoke-grant \
--key-id <value> \
--grant-id <value>
Parameters

• --key-id (string): The identifier for the KMS key associated with the grant. This can be the key's ID, ARN, alias name, or alias ARN.
• --grant-id (string): The unique identifier for the grant you wish to revoke. This ID is returned by the create-grant command when a new grant is created.

Example:
aws kms revoke-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grant-id 87654321-abcd-4321-efgh-567890abcdef

This example revokes a grant with the ID 87654321-abcd-4321-efgh-567890abcdef for the KMS key identified by 1234abcd-12ab-34cd-56ef-1234567890ab. After executing this command, the principal associated with the revoked grant will no longer have access to the KMS key for the operations specified in the grant.

Conclusion

Grants in AWS KMS offer a powerful and flexible way to manage access to our cryptographic keys. They allow temporary permissions without altering existing policies; they provide a method for users and AWS services to perform necessary operations. Remember, the key to using grants effectively is understanding when and how to create them and ensuring they are deleted when no longer needed. 

See also

Compare key policies and grants at cloudericks.com/blog/understanding-aws-kms-key-policies-vs-grants.