Official repository of the AWS KMS Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/)
License: Other
This repository is archived, read-only, and no longer updated. For more information, read the announcement on the AWS News Blog.
You can find up-to-date AWS technical documentation on the AWS Documentation website, where you can also submit feedback and suggestions for improvement.
On https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html (or https://github.com/awsdocs/aws-kms-developer-guide/blob/master/doc_source/key-policies.md in this repo), the image at the very bottom points at the URL https://docs.aws.amazon.com/kms/latest/developerguide/images/console-key-policy-full-sm.png , which 404s.
Under the page https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html, Changing Key Policy, I suggest to include the following relevant yet important point (with the suggested examples):
KMS will only allow the currently authenticated entity to make a change to the Key policy Principal's entry, if both match.
For example, if the KMS key policy has the following entry:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
Even if the root user is currently logged in to the console, that root user wont be able to change this policy to the following, as they will receive an access denied:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/user123"
},
"Action": "kms:*",
"Resource": "*"
}
However, if user123 has an identity policy attached to them allowing for example kms:*, and user123 logs in to the console, then they could change the key policy to the following:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/user123"
},
"Action": "kms:*",
"Resource": "*"
}
but they would not even be able to revert the Key policy to the default one, even if they tried the following:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
Lastly, please note that this behavior would basically allow an IAM user, which has enough KMS privileges (ex. KMS:*) to take full ownership of the KMS key, while disallowing all others users, including the root-account user itself.
Please let me know if these two behaviors are mentioned or explained clearly anywhere else in the KMS documentation.
Thank you for your support and hard work.
Hello,
Under the section "Allows access to the AWS account and enables IAM policies" of the page https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html, it is mentioned that:
"It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy. Without this permission, IAM policies that allow access to the key are ineffective, although IAM policies that deny access to the key are still effective."
While this is true, it gives, or might give the impression that without the default policy:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
then IAM access to the key is not possible. However, this is not 100% true, because if we for example allow a specific IAM user or IAM Role access to the KMS key through a custom Key policy, such as this one:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Describe the policy statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/Alice"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
then we are actually allowing IAM policies and users to the key, even without the "AWS": "arn:aws:iam::111122223333:root" entry.
I believe this section should be reworded to mention that the default policy, and/or other IAM Principals (with an example) are needed to provide IAM-based access to the key itself.
I hope my explanation is clear, thank you for your hard work and efforts.
The AWS Key Management Service Best Practices available under https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf (referenced at https://aws.amazon.com/whitepapers/) mention on their last page
For the most up-to-date version of this white paper, please visit:
https://d0.awsstatic.com/whitepapers/KMS-Best-Practices.pdf
This link responds with status code 403 Forbidden.
Also the last three links in the notes are broken. The visible URLs are correct, but the underlying links represent the # with %23 leading to broken links on both Firefox and Chromium.
Following chapters contain malformed links to KMS API Reference.
Concepts
Changing a key policy
Using policy conditions with AWS KMS
How to choose your CMK configuration
Malformed links start with url-kms-api; which apparently was supposed to be replaced with https://docs.aws.amazon.com/kms/latest/APIReference/.
An example of broken link: url-kms-api;API_PutKeyPolicy.html
Correct value: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
I have https://docs.aws.amazon.com/kms/latest/developerguide/encrypt-context.html bookmarked. Re-visiting it today, all it does is redirect to https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
What happened to the Encryption Context page? I notice that the link is used in many pages in the documentation (e.g. this one), but the target page itself seems to have vanished.
The Programming the AWS KMS API section of the AWS KMS developer guide now has examples in Java, C#, Python, Ruby, PHP, and Node.js. We'd love to have examples in other languages.
When submitting your examples, please be sure to make them analogous to the existing example, but idiomatic to the language. If you have questions, ask them in this issue.
Thanks in advance for your contribution!
Looking at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-actions-as-permissions it seems enough to add arn:${Partition}:kms:${Region}:${Account}:key/${KeyId} as a resource to an IAM policy.
We tried this within a CloudFormation Stack and it failed:
User: arn:aws:sts::***:assumed-role/***/AWSCloudFormation
is not authorized to perform: kms:CreateAlias on resource:
arn:aws:kms:eu-west-1:***:alias/***
After adding another resource arn:${Partition}:kms:${Region}:${Account}:alias/${Alias} everything worked as expected.
I initially reported this as awsdocs/iam-user-guide#119, but was pointed to this repo.
Line 74 is wrong. If I create a user which has the following policy:
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
They WILL be able to encrypt using the following command: aws kms encrypt --key-id <insert_key_ID> --plaintext "ABC"
even though they are NOT added in the Key Users section of the CMK in question. This was tested.
Additionally, if the user has NO IAM policy attached, and they are added only under the Key Policy (or as a User of the CMK), they will be able to encrypt data. So it seems that the access is given if either/or the IAM policy or the Key user are added.
This is just a test.
I would like to put forward this graphical representation for this scenario.
Here's a mockup of how it would look in the documentation:
I used graphics elements exclusively from the AWS Kit to avoid any concerns of ownership third-party assets.
I have attached the Adobe XD file which allows for future modification.
I created the source file in Adobe XD since the software is free to use.
Reduces-the-risk-of-the-CMK-becoming-unmanageable.zip
Here is the rendered graphic as a png
When I have a moment I'll submit a pull request
In a few places you use the unit KB and immediately after put the number of bytes in parentheses e.g.
Changing KB to KiB would remove the need to write out the number of bytes.
Shall I create a pull request for that?
Hi everyone,
I noticed something which is a bit strange to me reading the documentation, on this page it says :
SSE-KMS requires that AWS manage the data key but you manage the customer master key (CMK) in AWS KMS.
As I understand it, it means that SSE-KMS require the use of customer managed CMK. But later on the same file it says :
You can choose a customer managed CMK or the AWS managed CMK for Amazon S3 in your account.
I think it's a bit confusing, and maybe we can change it a bit :)
Thank you
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.