avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1800

Abstract

ENCRYPT a value with the key.</p><p id="f009">So I go over to CloudTrail and I find two related errors:</p><p id="6b52"><b>Secrets Manager </b>via<b> CloudFormation </b>provides this unhelpful information:</p><figure id="7d4b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*icvQxcy6U9mXJBEh2yqELA.png"><figcaption></figcaption></figure><div id="118c" class="link-block"> <a href="https://readmedium.com/thoughtful-error-handling-ca1064cda8da"> <div> <div> <h2>Thoughtful Error Handling</h2> <div><h3>Your error handler is one of your most important security defenses</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*hWOdEC85WwPVAPmT9JlrBA.png)"></div> </div> </div> </a> </div><p id="e99e">The <b>KMS</b> error says:</p><figure id="6d71"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*csFTmv1S_hGG6_GkKzH-2Q.png"><figcaption></figcaption></figure><p id="d6fb">Why would this role need DECRYPT permission to create a secret and encrypt it in KMS?</p><p id="55d0">I do not WANT this role to have decrypt permissions only encrypt permissions.</p><p id="841b">Also, where is the ENCRYPT action in the logs? There’s nothing that can even be decrypted that this point because the value hasn’t even been encrypted.</p><p id="98f4">I had this working before. Not sure if I changed something or something at AWS changed but I don’t see how the above template should ever trigger the decrypt action.</p><p id="3cb9">In any case, I added the ability for the user running the above to DECRYPT in the KMS key policy a

Options

nd the script works. This really should be fixed. It’s like not having the ability to only give read OR write access to a directory but being forced to give both permissions.</p><p id="d703">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="46f6"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="550c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

Cannot Create Secrets Manager Secret with KMS key without DECRYPT permissions

Should be able to have a role with encrypt only permissions put a secret in Secrets Manager

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please tell me this is a bug.

I created a role with encrypt only permissions. I’m using that role to run this script which stores a value in Secrets Manager only. This role will not be the same role to retrieve the secret later so it should not need decrypt permissions.

Once again getting an ambiguous KMS error:

Access to KMS is not allowed

This error message is incorrect because I’ve checked and the role does have KMS permissions. In addition that role has permission to ENCRYPT a value with the key.

So I go over to CloudTrail and I find two related errors:

Secrets Manager via CloudFormation provides this unhelpful information:

The KMS error says:

Why would this role need DECRYPT permission to create a secret and encrypt it in KMS?

I do not WANT this role to have decrypt permissions only encrypt permissions.

Also, where is the ENCRYPT action in the logs? There’s nothing that can even be decrypted that this point because the value hasn’t even been encrypted.

I had this working before. Not sure if I changed something or something at AWS changed but I don’t see how the above template should ever trigger the decrypt action.

In any case, I added the ability for the user running the above to DECRYPT in the KMS key policy and the script works. This really should be fixed. It’s like not having the ability to only give read OR write access to a directory but being forced to give both permissions.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Bug
AWS
Secrets Manager
Kms
Create Secret
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarNagarjun Nagesh
Automating Patching with AWS Systems Manager

Keeping your EC2 instances updated with the latest security patches is a critical task in maintaining a secure and stable environment. AWS…

3 min read
avatarbluebirz
Git vulnerability (CVE-2024–32002)

This vulnerability allow git to run malicious source codes by just git clone from crafted repositories through git submodules.

2 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarRaviteja Mureboina
Presigned URLs in Amazon S3

In the realm of cloud storage, security is paramount. Amazon Simple Storage Service (S3) provides a robust solution for storing and…

3 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read