Effective IAM for AWS

Appendix - Least privilege KMS key policy

Appendix - Least privilege KMS key policy

This is the complete least privilege key policy for the Customer Managed CMK used to secure a data domain in Simplify IAM by using the best parts.

Notice that it follows the recommended general form of:

  • An Allow statement per capability, e.g Administer Resource
  • Deny all principals not explicitly allowed
{
"Version": "2012-10-17",
"Id": "LeastPrivilegeKeyPolicy",
"Statement": [
{
"Sid": "AllowRestrictedAdministerResource",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:ConnectCustomKeyStore",
"kms:CreateAlias",
"kms:CreateCustomKeyStore",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:DisableKey",
"kms:DisableKeyRotation",
"kms:DisconnectCustomKeyStore",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:RevokeGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateAlias",
"kms:UpdateCustomKeyStore",
"kms:UpdateKeyDescription"
],
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:user/ci"
]
}
}
},
{
"Sid": "AllowRestrictedReadConfig",
"Effect": "Allow",
"Action": [
"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:GetParametersForImport",
"kms:GetPublicKey",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListResourceTags",
"kms:ListRetirableGrants"
],
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:user/ci"
]
}
}
},
{
"Sid": "AllowRestrictedReadData",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Verify"
],
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/appA"
]
}
}
},
{
"Sid": "AllowRestrictedWriteData",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateRandom",
"kms:ImportKeyMaterial",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign"
],
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/appA"
]
}
}
},
{
"Sid": "AllowRestrictedDeleteData",
"Effect": "Allow",
"Action": [
"kms:DeleteCustomKeyStore",
"kms:DeleteImportedKeyMaterial"
],
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
}
},
{
"Sid": "AllowRestrictedCustomActions",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
}
},
{
"Sid": "DenyEveryoneElse",
"Effect": "Deny",
"Action": "kms:*",
"Resource": "*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:role/appA"
]
},
"Bool": {
"aws:PrincipalIsAWSService": "false",
"kms:GrantIsForAWSResource": "false"
}
}
}
]
}
Edit this page on GitHub