avatarTeri Radichel

Summary

The website content discusses troubleshooting an AWS KMS key policy error, "The new key policy will not allow you to update the key policy in the future," encountered during a CloudFormation deployment, and outlines steps taken to resolve the issue, which the author believes is a bug in AWS.

Abstract

The author of the website content encountered an error message while deploying an AWS KMS key policy through CloudFormation, indicating that the new policy would prevent future updates. Despite granting extensive permissions to the root user and other administrators, the issue persisted. The author consulted AWS documentation and made several changes to the key policy, such as altering quotation marks, adjusting the Sid, adding an ID, and removing single quotes around certain values. Initially, these changes seemed to resolve the problem, but the error recurred. The author then discovered that the user deploying the policy lacked administrative access to the key, which they attribute to an AWS bug. The author's solution was to deploy the key policy with the user designated as the key administrator. They also note that AWS allows the deletion of an administrator from a policy, which could lead to a situation where no one can administer the key, identifying this as another bug.

Opinions

  • The author considers the error message about future key policy updates to be a bug in AWS CloudFormation or KMS.
  • The author believes that AWS's logic for preventing potential lockouts from editing key policies is flawed and caused unnecessary complications.
  • AWS is seen as having a bug because it allows the deletion of an administrator from a key policy without ensuring a valid user retains administrative permissions.
  • The author suggests that AWS should permit a key policy deployment as long as there is a valid user with administrative permissions in the policy.
  • The author's experience indicates that AWS's handling of key policies and permissions is not as intuitive or robust as it should be, leading to potential security and access issues.

The new key policy will not allow you to update the key policy in the future

Resource handler returned message: “The new key policy will not allow you to update the key policy in the future. (Service: Kms, Status Code: 400)” (HandlerErrorCode: InvalidRequest)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | KMS and Encryption

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I think this error message is a bug in CloudFormation or KMS. The reason I say that is because I created a KMS policy with all KMS privileges for all KMS resources for my current user that is deploying the KMS key and I get an error stating that the key policy will not allow you to update it in the future.

In case this error message was related to not giving the root user permissions, I added permissions for that user as well and that did not resolve the problem. I gave the root user (administrators in the account actually) full permissions to all resources. Definitely a bug.

So I searched around and found this blog post — which confirms what I would expect. You do NOT need give the root user full admin access to your key.

I changed two things to get this working and I’m not sure which one fixed it but I expect it was the quotes:

  1. I changed the double quotes around the * in my policy:
'*'

to double quotes:

"*"

2. I changed the Sid to match exactly what is stated in the above blog post:

"Sid": "Allow administration of the key"

3. I added an ID like the one in the blog post:

"Id": "key-default-1"

4. I had single quotes around some other values which I simply removed.

However this logic in this error message is determining someone is going to lock themselves out of editing their key policy has a bug and it took me forever (in impatient programmer minutes) to resolve this.

Update:

Somehow the above allowed me to deploy a KMS policy. However, upon further testing, I hit this error again. The problem was that the user I was deploying the policy with did not have access to administer the key. However, another policy for a role that I was granting administrative permissions on the key to did have permission to administer the key. I consider this and AWS BUG because the person or deployment system deploying the key policy might not be the same as the person who later administers the key. As long as there is a valid user that has permission to Administer the key in the policy it should pass.

At the same time, if you have an administrator in a policy and you delete that user, AWS lets you do that, making it possible to administer the key in the future. That is definitely a bug as well. AWS changes the KMS policy and replaces the user ARN with some non-sensical value and then no one can administer the key.

To get around this problem I deploy the key policy with the user that I am making the key administrator.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

The best way to support this blog is to sign up for the email list and clap for stories you like. That also helps me determine what stories people like and what to write about more often. Other ways to follow and support are listed below. Thank you!

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight Lab
Like this story? Use the options below to support this blog.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
 via LinkedIn: Teri Radichel 
❤️ Schedule a consulting call with me through IANS Research
Bug
AWS
Cloudformation
Kms
Key Policy
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarJohn David Luther
AWS Tutorial: Your First AWS CDK App in Python — “Hello World!” Lambda Function

A working tutorial, end-to-end coding on a single page.

8 min read
avatarAfan Khan
Microsoft is ditching React

Here’s why Microsoft considers React a mistake for Edge.

6 min read
avatarOrel Bello
How did we reduce our monthly AWS bills by 20% without breaking a sweat?

Learn how we slashed our monthly AWS bills by 20% effortlessly. Here’s how we did it!

7 min read
avatarArtturi Jalli
I Built an App in 6 Hours that Makes $1,500/Mo

Copy my strategy!

3 min read