Granting AWS Services Access to use a KMS Key

ACM.201 Modifying our generic KMS key policy to allow services to use a key

Part of my series on Automating Cybersecurity Metrics. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

I created a bucket policy for our S3 server access log bucket in the last post and we noticed that ACLs still exist, even though the recent change AWS announced says they will be disabled by default.

S3 Server Access Log Bucket Policy

ACM.200 Revisiting default AWS S3 ACLs that still exist

medium.com

Now we have our buckets and earlier I created a KMS key for our organizational CloudTrail log. However, I used our generic template and did not grant CloudTrail permission to use the key. We’re going to attempt to fix that in this post.

Create A KMS Key for AWS Organizations Trail

ACM.189 Next step to set up an AWS Organizations CloudTrail

medium.com

I took a look at all the permissions we need to grant in this post including the KMS key policy for CloudTrail to encrypt and decrypt data:

Granting AWS CloudTrail and Users Permission to use a KMS Key

ACM.190 Complexities and Caveats when using a customer managed encryption key with CloudTrail logs

medium.com

Modifying the generic key policy

I’ve been updating the generic key policy throughout this series.

The key policy allows us to pass in roles for principles that can encrypt and decrypt the data, and administer the key. We assigned all of that to the OrgRoot user.

Now in an ideal world, the OrgRoot user does not need to encrypt the data, only decrypt it. But we’ll leave it as is for the moment.

We also created a way for AWS services to use the key.

We can add CloudTrail to the allowed values for the ServiceParam.

Recall that we need to add the following permission for CloudTrail to encrypt data. Remember that we cannot use the Condition with CloudTrail Lake.

And this permission for CloudTrail to decrypt data:

It is at this point that I have to agree with all the people requesting a separate KMS Key Policy resource for CloudFormation in this request from 2020.

AWS::KMS::KeyPolicy is desired · Issue #322 · aws-cloudformation/cloudformation-coverage-roadmap

AWS::KMS::Key supports configuring a resource policy as a property on the object, but not as its own resource. Given…

github.com

But we can probably make this work.

What I foresee is that we may need to grant other services besides CloudTrail permission to use a key, so I’m going to attempt to make this work for any service.

I’m going to add a two new conditions which can be modified if new services need to encrypt or decrypt using a KMS key.

Next, I can add the two statements. Ideally I would add a condition to the statements to add them only if the ServiceCanDecrypt and ServiceCanEncrypt conditions are true. Unfortunately I can’t find a way to make that work. Alternatively, I can simply change the value of Effect to Allow or Deny as appropriate. I’ll have some extra code, but in theory that should work.

I’ll start with Decrypt since that is easier. If the service can decrypt the action is allow in the statement, otherwise it is deny.

We can essentially copy that and change the actions for encrypt.

The challenge is that condition. I don’t really know what type of conditions I’m going to need in the future. I’m going to just make the condition ARN as is and I will modify it when needed.

Now we can try re-deploy the key with the deploy script in the Org KMS folder. And…we get the dreaded Malformed Policy error again.

Syntax errors in policy.

Errors related to malformed AWS Policy Documents

medium.com

The issue which I fixed in the screenshots above is that I forgot to put “service:” in front of the service name.

Now we have everything we need to deploy an organizational CloudTrail. We’ll see how it works and troubleshoot any issues.

Yeah…we needed to do some troubleshooting.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab