AWS KMSのキーポリシーとアイデンティティベースポリシー

2021/10/17

AWS KMSのCMKを作成する際に、管理者とキーユーザーを選択することで、以下のようなキーポリシーが生成されます。
以下は管理者にOrganizationAccountAccessRole、キーユーザーにuser1を指定した例です。

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/OrganizationAccountAccessRole"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion",
                "kms:ReplicateKey",
                "kms:UpdatePrimaryRegion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/user1"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/user1"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

{

"Id": "key-consolepolicy-3",

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Enable IAM User Permissions",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:root"

"Action": "kms:*",

"Resource": "*"

{

"Sid": "Allow access for Key Administrators",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:role/OrganizationAccountAccessRole"

"Action": [

"kms:Create*",

"kms:Describe*",

"kms:Enable*",

"kms:List*",

"kms:Put*",

"kms:Update*",

"kms:Revoke*",

"kms:Disable*",

"kms:Get*",

"kms:Delete*",

"kms:TagResource",

"kms:UntagResource",

"kms:ScheduleKeyDeletion",

"kms:CancelKeyDeletion",

"kms:ReplicateKey",

"kms:UpdatePrimaryRegion"

"Resource": "*"

{

"Sid": "Allow use of the key",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:user/user1"

"Action": [

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:DescribeKey"

"Resource": "*"

{

"Sid": "Allow attachment of persistent resources",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:user/user1"

"Action": [

"kms:CreateGrant",

"kms:ListGrants",

"kms:RevokeGrant"

"Resource": "*",

"Condition": {

"Bool": {

"kms:GrantIsForAWSResource": "true"

}

]

}

これでIAMユーザーのuser1は、IAMポリシーで許可をしなくてもこのCMKに対しての基本操作は許可されます。
例えばgenerate-data-keyを実行すると、データキーが生成されます。

$ aws kms generate-data-key \
--key-id mrk-1234567890123abcdefghsd \
--key-spec AES_256

{
    "CiphertextBlob": "AQIDAHj2R4mtaSrV3i4Yti1b1+CH7K+dDHdozvgyqIGbHQolLAEknPs6sjrMjPaSe0zpTN59AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMTvnhmj6vG0/UHHY4AgEQgDvG5Yfoyt+NwnEO3BKpGbwModiOugQS10iWr8Vdpa/NM024pRAu8gNwr7MolqfYcYJTUqVnMXLQDEJKkQ==",
    "Plaintext": "R6HU1W8txBVAfQbi61fbZwcsw2D5EIjgACM8lRJc7kk=",
    "KeyId": "arn:aws:kms:ap-northeast-1:123456789012:key/mrk-1234567890123abcdefghsd"
}

$ aws kms generate-data-key \

--key-id mrk-1234567890123abcdefghsd \

--key-spec AES_256

{

"CiphertextBlob": "AQIDAHj2R4mtaSrV3i4Yti1b1+CH7K+dDHdozvgyqIGbHQolLAEknPs6sjrMjPaSe0zpTN59AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMTvnhmj6vG0/UHHY4AgEQgDvG5Yfoyt+NwnEO3BKpGbwModiOugQS10iWr8Vdpa/NM024pRAu8gNwr7MolqfYcYJTUqVnMXLQDEJKkQ==",

"Plaintext": "R6HU1W8txBVAfQbi61fbZwcsw2D5EIjgACM8lRJc7kk=",

"KeyId": "arn:aws:kms:ap-northeast-1:123456789012:key/mrk-1234567890123abcdefghsd"

}

新規でIAMユーザーuser2を作成して、インラインポリシーで以下を設定したとします。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:ap-northeast-1:123456789012:key/mrk-1234567890123abcdefghsd"
        }
    ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:DescribeKey"

"Resource": "arn:aws:kms:ap-northeast-1:123456789012:key/mrk-1234567890123abcdefghsd"

}

]

}

user2も同様にkms:GenerateDataKeyなどの操作が許可されます。
これはCMK作成時にキーポリシーに以下のポリシーが含まれているためです。

{
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }