Question 301110 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Decrypt parameter store secrets conditionally?

I am trying to create a policy to allow users to view all the parameter store values unless it is encrypted by the dev kms key. The following is the policy that i’ve written.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "DenyDecryptForDevKey",
        "Effect": "Deny",
        "Action": "kms:Decrypt",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:RequestAlias": "dev"
            }
        }
    },
    {
        "Sid": "AllowDecryptIfNotDevKey",
        "Effect": "Allow",
        "Action": "kms:Decrypt",
        "Resource": "*",
        "Condition": {
            "StringNotEquals": {
                "kms:RequestAlias": "dev"
            }
        }
    },
    {
        "Sid": "GetSSMParameters",
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameter",
            "ssm:GetParameters",
            "ssm:GetParametersByPath"
        ],
        "Resource": "*"
    }
]

}

but when i’m trying to create it in the UI, these are the following permissions it shows that are defined in the policy.

| Explicit deny (1 of 402 services) |
|------------------------------------|
| Service      | Access level | Resource       | Request condition        |
|--------------|--------------|----------------|---------------------------|
| KMS          | Limited: Write | All resources | kms:RequestAlias = dev |

| Allow (1 of 402 services)         |
|-----------------------------------|
| Service          | Access level | Resource       | Request condition |
|------------------|--------------|----------------|-------------------|
| KMS  | Limited: Write | All resources | kms:RequestAlias !== dev             |
| Systems Manager  | Limited: Read | All resources | None              |

This is how i am testing it :

  1. Create a parameter with type SecureString and encrypt it with key dev
  2. Create another parameter with type SecureString and encrypt it with key that is not dev.
  3. Create a Role. testing-role with Trusted entity type as AWS account.
  4. Create an IAM policy with the above permissions and attach to the role.
  5. Switch role from the UI inputting the name of the role i.e. testing-role that i created as well as the AWS account ID.
  6. After switching to the role, go to the parameters that were created and try to view the value by toggling Show decrypted value

But somehow I’m still able to decrypt any secrets encrypted by dev key. Thank you.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This is the policy that worked.

     {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyDecryptIfDevKey",
                "Effect": "Deny",
                "Action": "kms:Decrypt",
                "Resource": "*",
                "Condition": {
                    "ForAnyValue:StringLike": {
                        "kms:ResourceAliases": "alias/dev*"
                    }
                }
            },
            {
                "Sid": "AllowDecrypt",
                "Effect": "Allow",
                "Action": "kms:Decrypt",
                "Resource": "*"
            },
            {
                "Sid": "GetSSMParameters",
                "Effect": "Allow",
                "Action": [
                    "ssm:GetParameter",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath"
                ],
                "Resource": "*"
            }
        ]

  2. 0

    There is a distinction between allowing or denying requests to kms:Decrypt based on whether the request is made by alias or by id or ARN. Setting a condition on the IAM policy relating to RequestAlias only affects those requests by alias.

    However, a request that used a key ID, a key ARN, or a different alias
    would not fulfill the condition, even if these values identified the
    same KMS key.

    Using the resource alias appears to fit the requirement here.

    There is an additional factor here of allowing unconditionally and then denying particular elements conditionally rather than the safer approach of allowing only what is intended.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDecrypt",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "kms:ResourceAliases": "alias/dev*"
                }
            }
        },
        {
            "Sid": "GetSSMParameters",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}

    Tested in the Policy Simulator as much as reasonably possible without access to the precise keys you’re trying to protect to check aliases.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search