The default KMS key policy is shown as { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "kms:", "Resource": "" }. Apparently this enables IAM users to access this CMK. My question is whether the actions shown as kms:* determine which actions can be enabled for IAM users – in this case all actions for IAM users who have access to this key. I have seen it suggested elsewhere that this policy can be used to limit the actions an IAM user can access. The AWS documentaion I have looked at is silent on this
1 Answers
Lawrence,
What the default key policy is saying is that for this key, the account 111122223333 (aka its root user) is allowed to delegate any permissions within the scope of kms:* to principals in the account via IAM policies. The default policy as is does not give access to specific principals on its own. To do so you’d have to 1) configure permissions to the key in the principal’s IAM policy or 2) modify the default key policy and explicitly specify the principal.
You’re correct that the key policy could be used to limit access as well, you could do this via explicit deny. Or you could reduce the kms:* scope in the key policy, but this would also reduce the possible permissions that account 111122223333 could delegate.
Thought this article was helpful for understanding the default key policy: https://github.com/awsdocs/aws-kms-developer-guide/blob/master/doc_source/determining-access-key-policy.md
This flowchart is really handy as well: https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html
Note that since a KMS key policy is a resource-based policy, the policy evaluation logic changes a bit depending on whether or not the principal is in the same account.
Hope this helps.
Thanks CL. The penny has dropped for me.