Home Membership Courses Blog
About Contact

Understanding Key Policies in AWS KMS

all aws aws kms aws security Jan 29, 2024

Introduction

Understanding how to control access to our KMS keys is essential for maintaining data security and compliance. Here, we'll demystify the key policies in AWS KMS, making it simple to grasp their importance and how to use them effectively.

The Basics of KMS Key Policies

A KMS key policy is a JSON document that clearly specifies who can access the key and under what conditions. The policy structure allows for granular control, including specifying actions (like "kms:Encrypt" or "kms:Decrypt"), effect (allow or deny), and resources. It enables precise management of permissions, ensuring that only authorized users and services can perform cryptographic operations or manage the key.

At the core, controlling access to KMS keys is similar to managing access to S3 bucket policies. However, a key distinction is that we cannot access KMS keys without defining key policies; however, we can access the S3 bucket without creating an S3 bucket policy as the access permissions can also be set through other means such as IAM, ACLs, public bucket settings, etc.

Default KMS Key Policy

When we create a new AWS KMS key and don't specify a key policy, AWS KMS automatically attaches a default key policy to the key. This default policy is designed to give full access to the key to the account's root user.  We can further use IAM policies to allow other IAM users and services access to the key. In a way, the default KMS policy delegate access control to IAM.

Custom KMS Key Policy

Custom KMS Key Policies allow us to define precisely who can access and administer our KMS keys. This is where we can specify which users or roles can manage the key's permissions (key administrators) and who can use the key (key users).

Custom policies are particularly useful for scenarios requiring cross-account access, enabling us to securely share our cryptographic keys with users from another AWS account.

Types of KMS Key Policies

Understanding the different types of keys available in AWS KMS is essential for managing our key policies:

  • AWS Owned Keys: These are keys owned and managed by AWS for use in multiple AWS accounts. We cannot view or change the key policy of these keys.

  • AWS Managed Keys (e.g., aws/ebs): AWS manages these keys, but they are designated for our account's use. We can view the key policy but cannot change it.

  • AWS Customer Managed Keys: These are keys that we manage and have full control over. We can view and edit the key policy, offering the most flexibility for managing access.

Customizing Our KMS Key Policy

For Admins

For our AWS Customer Managed Keys, we can define administrators who have permission to manage the key itself. It's important to note that being an administrator does not grant the ability to perform cryptographic operations with the key (like encrypting or decrypting data). Instead, administrators can manage the key's policy and permissions.

For Users

We can also specify which IAM users or roles can use the KMS key directly for cryptographic operations. If the KMS key and the IAM principal are in the same account, we don't need to attach IAM policies to those users or roles for them to use the key; the key policy itself is enough to grant this permission. However,  IAM policies can still be useful to restrict a user's or role's actions to a subset of what the key policy allows or enforce conditions for access (like MFA authentication).

Conclusion

Managing key policies in AWS KMS is foundational to securing our cloud environment. By understanding and utilizing the default and custom key policies, we can ensure that our keys are accessible only to the right users and services. Whether we're using AWS-managed keys for common AWS services or managing our own keys for granular control, the key policy is our tool for safeguarding access to our cryptographic keys.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership