AWS KMS Grants
In AWS KMS, you can control the access to your master keys by using key policies and grants. Key policies are JSON-based documents that describe who are allowed to do what KMS operations (e.g., Encrypt, Decrypt) to your master keys.
The key policy below means that the IAM user “rizal” can only execute a GenerateDataKey and Decrypt operation on the CMK to which the key policy is attached.
There can only be one key policy for each CMK, which means that if you manage hundreds of CMKs, you’re also responsible for managing hundreds of key policies. As one would expect, the complexity level of editing each key policy increases with the number of master keys you’re administering.
Fortunately, we can associate the KMS permissions to a CMK without even touching the key policy associated with it. We can programmatically delegate permissions to a principal by using grants. To create a grant, we call the CreateGrant operation.
aws kms create-grant --key-id [KEY_ID or KEY ARN] --grant-principal arn:aws:iam::123456789123:user/josephine --retiring-principal arn:aws:iam::123456789123:user/rizal --operations Decrypt
The CreateGrant operation does not support the use of aliases, so you must pass the key id or the key ARN instead. The --grant-principal parameter defines the grantee or the person whom you are delegating access to. The --retiring-principal parameter designates the principal that can retire or revoke the access to the CMK. The --operations defines the operations the grantee is allowed to do.
The CreateGrant operation returns a grant token and grant Id. You can retire a grant anytime when you’re done using it. Simply call the RetireGrant command with the grant token that you received when you created the grant. Note that a grant can only allow access, but not deny.
aws kms retire-grant --grant-token [GRANT TOKEN]
This article is a snippet from our AWS Certified Security Specialty study guide eBook, which will be released in a few weeks. Meanwhile, do check out our AWS Security Specialty Practice Exams and cheat sheets if you are preparing for the exam.
References:
https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html
Full stack Developer with 18+ Years experience in React, Angular, C#, SQL, PostgreSQL,Node.js ,Express.js, MongoDB, Javascript,Typescript, AWS,GCP, Azure, CSS
4 年Hi Jon, Your cheatsheets are really great for quick revision before exam.
Full stack Developer with 18+ Years experience in React, Angular, C#, SQL, PostgreSQL,Node.js ,Express.js, MongoDB, Javascript,Typescript, AWS,GCP, Azure, CSS
4 年Yes! Grants allow us to dynamically provide temporary access to users/roles/groups. Static policies are hard to manage.
Thanks Jon. I was studying KMS last night and looking for clarity around key policies and grants. This is very helpful. Looking forward to the eBook.
Cloud Engineer - DevOps | CNCF Community Organizer | KCNA | AWS | Azure | GCP | Security and Kubernetes enthusiast
4 年Thanks Jon