Who decided to add alias/ in front of the KMS alias name everywhere and why?
This one has thrown me for a loop so many times — — WHY?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When you pass a KMS key alias to CloudFormation, you have to prefix it with alias/.
Every stinkin’ time I forget this but thankfully mostly have automated this so it’s a not issue.
I check to see if “alias/” exists and if it doesn’t I just add it when I call my function that deploys the key.
Why can’t AWS do the same? And why do you even need that? Is it literally the only resource in all of AWS that does this?
There is some very strange logic in the KMS code base, in general.
You also need this when querying a KMS key using the CLI. If you query for the KMS key alias alone it fails. You have to add the mysterious, magical “alias/” in front. Why? I would love to hear someone’s explanation as I’m sure someone must have one.
This makes no sense to me. Even if you need it for some odd reason on the back end, can’t you hide that from the customer?
Or at least handle both cases — with and without the alias/.
Of course with very stringent validation.
A lot of the KMS implementation seems a bit odd like you can’t have a policy with only Encrypt for principals who need to encrypt and only decrypt for principals that need to decrypt.
And on that note, why do aliases even exist?! Why do keys not just have names like everything else?
Maybe another review would be helpful at this point to see what errors are most tripping customers up and to find any extraneous logic.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresenationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
