Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

KMS Part 2 – Lots of info missing, to the point where the info is wrong

In KMS Part 2, it was mentioned that the reason the admin could access the data encrypted by another user’s KMS key was simply because he was an "admin". This is actually not very accurate.

First of all, the entire concept of CMK Key policy was not even mentioned anywhere from Parts 1-4. This is one of the MOST important aspects of KMS and CMKs, and its what answers the real question of who can access a specific CMK.

The other most important subject missing is how access to KMS and CMKs is actually done: 1) through IAM policies, and 2) through the users/admins of the CMK itself (which is effective per-CMK), which will actually be reflected in the CMK policy. All of this was never explained in the course.

Real Reason: the default key policy allows the "root" user to assign IAM policies (as well as assigning users/admin to the CMK) to the other users of the account. By default, the root user also has full access to the CMK policy:

{

"Sid": "Enable IAM User Permissions",

"Effect": "Allow",

"Principal": {"AWS": "arn:aws:iam::111122223333:root"},

"Action": "kms:*",

"Resource": "*"

}

So access can be granted either through the IAM policy (kms:XYZ), or through adding a key user under the CMK itself (CMK policy). You DONT need to add BOTH a CMK user and an IAM policy for access to work. ANY user with an IAM policy of kms: or kms:decrypt on all CMK ressources () will be able to read the encrypted data of any CMK (since we have a *).

The "real" reason why the SystemAdmin policy cannot decrypt the data of the other user is actually simple (and not mentioned in the course): 

"kms:CreateAlias",

"kms:CreateKey",

"kms:DeleteAlias",

"kms:Describe*",

"kms:GenerateRandom",

"kms:Get*",

"kms:List*",

"kms:Encrypt",

"kms:ReEncrypt*",

"Effect": "Allow",

"Resource": "*"

Its because it does not include a kms:decrypt. As you can see, the systemadmin can actually encrypt data through any CMK (resource: *). 

Anyhow, there are lots of important concepts that are totally missing regarding CMKs, KMS and access control. What was shown only scratches the surface of things, and can be considered inaccurate.

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization