Certified Security - Specialty

Sign Up Free or Log In to participate!

Question on Default Key policy

The default KMS key policy is shown as { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "kms:", "Resource": "" }. Apparently this enables IAM users to access this CMK. My question is whether the actions shown as kms:* determine which actions can be enabled for IAM users – in this case all actions for IAM users who have access to this key. I have seen it suggested elsewhere that this policy can be used to limit the actions an IAM user can access. The AWS documentaion I have looked at is silent on this

1 Answers


What the default key policy is saying is that for this key, the account 111122223333 (aka its root user) is allowed to delegate any permissions within the scope of kms:* to principals in the account via IAM policies. The default policy as is does not give access to specific principals on its own. To do so you’d have to 1) configure permissions to the key in the principal’s IAM policy or 2) modify the default key policy and explicitly specify the principal.

You’re correct that the key policy could be used to limit access as well, you could do this via explicit deny. Or you could reduce the kms:* scope in the key policy, but this would also reduce the possible permissions that account 111122223333 could delegate. 

Thought this article was helpful for understanding the default key policy: https://github.com/awsdocs/aws-kms-developer-guide/blob/master/doc_source/determining-access-key-policy.md

This flowchart is really handy as well: https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html

Note that since a KMS key policy is a resource-based policy, the policy evaluation logic changes a bit depending on whether or not the principal is in the same account.

Hope this helps.

Lawrence Opiyo

Thanks CL. The penny has dropped for me.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?