You are attempting to decrypt a file which you have already successfully encrypted using your CMK, however when you try to decrypt you are not authorized to do so. Which policy should you check?
given answer is to choose the iam policy, but wouldn’t you choose the key policy instead to ensure users are not given permission to decrypt on all CMKs?
https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html
1 Answers
You can restrict the IAM policy to the specific key in question so you won’t necessarily open up the user to all the keys unless that is what you want.
The encryption and decryption in the question are all occurring using the same key. It is UNLIKELY (and poor practice) to put key-specific controls in the IAM policy when they should be managed using the key policy. While both IAM policy and key policy can restrict specific operations on specific keys, the BEST answer is "key policy."
Yes, I’m fairly certain the correct answer is EITHER the IAM policy or the key policy. The key policy can control operations by user and by action (Encrypt, Decrypt, etc.)
And it would be weird to put key-specific controls in the IAM policy rather than the key policy. That is just asking for trouble. So the best answer, I believe, is "key policy."