Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

More Examples using Key Policies?

Since KMS is a big part of this exam, would you mind doing some more key policy examples?  Maybe some where the key policies conflict with IAM policies for given users?  An example where the key policy is edited in JSON format in the console?  Definitely think this would be helpful with giving more insight into KMS management.

lincupel

I agree with Harold, it would be great Ryan if you could add more examples when you release the new updates

3 Answers

Hey Harold,

Look at the following scenarios. If you test out these scenarios yourself, remember to wait in between IAM policy changes due to "eventual consistency".

Scenario 1:

The following IAM policy is attached to user bob:

{  
 "Version": "2012-10-17",  
 "Statement": [  
  {  
   "Sid": "IAMPolicyStatement1",  
   "Effect": "Allow",  
   "Action": "kms:Encrypt",  
   "Resource": "arn:aws:kms:us-east-2:123456789012:key/12345678-6afc-4f99-9001-b268ba6fe539"  
  }  
 ]  
}

The following is the KMS Key Policy attached to CMK "12345678-6afc-4f99-9001-b268ba6fe539":

{  
  "Version": "2012-10-17",  
  "Id": "key-consolepolicy-3",  
  "Statement": [  
    {  
      "Sid": "KMSKeyPolicyStatement1",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:root"  
      },  
      "Action": "kms:*",  
      "Resource": "*"  
    },  
    {  
      "Sid": "KMSKeyPolicyStatement2",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:user/bob"  
      },  
      "Action": [  
        "kms:Decrypt",  
        "kms:DescribeKey"  
      ],  
      "Resource": "*"  
    }  
  ]  
}

Question:

1.) Can bob encrypt, decrypt, both or none?

Scenario 2:

The following IAM policy is attached to user bob:

{  
 "Version": "2012-10-17",  
 "Statement": [  
  {  
   "Sid": "IAMPolicyStatement1",  
   "Effect": "Allow",  
   "Action": "kms:Encrypt",  
   "Resource": "arn:aws:kms:us-east-2:123456789012:key/12345678-6afc-4f99-9001-b268ba6fe539"  
  }  
 ]  
}

The following is the KMS Key Policy attached to the CMK "12345678-6afc-4f99-9001-b268ba6fe539":

{  
  "Version": "2012-10-17",  
  "Id": "key-consolepolicy-3",  
  "Statement": [  
    {  
      "Sid": "KMSKeyPolicyStatement0",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:user/admin"  
      },  
      "Action": "kms:*",  
      "Resource": "*"  
    },  
    {  
      "Sid": "KMSKeyPolicyStatement2",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:user/bob"  
      },  
      "Action": [  
        "kms:Decrypt",  
        "kms:DescribeKey"  
      ],  
      "Resource": "*"  
    }  
  ]  
}

Question:

2.) Can bob encrypt, decrypt, both or none?

Scenario 3:

The following IAM policy is attached to user bob:

{  
 "Version": "2012-10-17",  
 "Statement": [  
  {  
   "Sid": "IAMPolicyStatement2",  
   "Effect": "Deny",  
   "Action": [  
    "kms:Decrypt",  
    "kms:Encrypt"  
    ],  
   "Resource": "arn:aws:kms:us-east-2:123456789012:key/12345678-6afc-4f99-9001-b268ba6fe539"  
  }  
 ]  
}

The following is the KMS Key Policy attached to the CMK "12345678-6afc-4f99-9001-b268ba6fe539":

{  
  "Version": "2012-10-17",  
  "Id": "key-consolepolicy-3",  
  "Statement": [  
    {  
      "Sid": "KMSKeyPolicyStatement0",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:user/admin"  
      },  
      "Action": "kms:*",  
      "Resource": "*"  
    },  
    {  
      "Sid": "KMSKeyPolicyStatement2",  
      "Effect": "Allow",  
      "Principal": {  
        "AWS": "arn:aws:iam::123456789012:user/bob"  
      },  
      "Action": [  
        "kms:Decrypt",  
        "kms:DescribeKey"  
      ],  
      "Resource": "*"  
    }  
  ]  
}

Question:

3.) Can bob encrypt, decrypt, both or none?

Answers:

Scenario 1:

Both; Bob can encrypt and decrypt.  
**Explanation**:  
Both the IAM and KMS policies add to grant the user both privileges.

Scenario 2:

Bob can decrypt only.  
**Explanation**:  
In this case, the principal "arn:aws:iam::123456789012:root" has been removed from the KMS policy.  
Therefore, the IAM policy granting bob "Encrypt" does not apply.  
The KMS policy allows bob to "Decrypt".  
In this situation, the key administrator must be careful not to lock himself out by setting a KMS policy that 
doesn't allow him to modify the policy in the future. Search AWS documentation for "BypassPolicyLockoutSafetyCheck."

Scenario 3:

None. Bob has no access.  
**Explanation**:  
Again, the principal "arn:aws:iam::123456789012:root" has been removed from the KMS policy.  
Nevertheless, the DENY in the IAM policy still applies even though any ALLOWs in the IAM policy won't.
lincupel

Felipe thanks for the policy examples, I saw a few of those in my exam.

lincupel

Felipe one more question, I found several AWS whitepapers on JSON policies when studying for the exam, do you have any recommendation on which AWS papers or links will provide more examples like the ones you did above? thanks for your assistance

Felipe Cavalcanti

I don’t, sorry. I came up with these myself while studying for the AWS Security Specialty exam.

lincupel

Np, Thanks for sharing.

Ben M

Thanks

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization