Question 325440 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Terraform Error: KMS Key policy MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future

I keep getting this error but I can’t seem to spot what is wrong with my policy. Can someone help? This is my aws_kms_key_policy?

resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id

  policy = jsonencode({
    Id      = "kms-key-policy",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Service = "states.amazonaws.com"
        },
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey",
          "kms:PutKeyPolicy",
          "kms:CreateGrant"
        ],
        Resource = aws_kms_key.kms_key.arn
      }
    ]
  })
}

I can’t seem to spot what is incorrect with my policy. Thanks

Tags:

2

Answers


  1. 0

    This statement only allows the principal states.amazonaws.com to ever do anything with the key ever again. It blocks you, the owner of the key, from ever modifying the key in the future. That’s why it is rejecting the policy.

    Login or Signup to reply.
  2. 0

    I think you also want to allow the policy to be updated by a user from your AWS account. Right now there is no way to update the policy as you are only allowing AWS service to perform some actions. To fix this, I would add something like:

    resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id

  policy = jsonencode({
    Id      = "kms-key-policy",
    Statement = [
      {
        Sid = "Allow administration of the key",
        Effect = "Allow",
        Principal = {
          "AWS" = "arn:aws:iam::<your AWS account ID>:user/<user name>"
        },
        Action = [
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion"
         ],
         Resource = "*"
      },
      {
        Effect = "Allow",
        Principal = {
          Service = "states.amazonaws.com"
        },
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey",
          "kms:PutKeyPolicy",
          "kms:CreateGrant"
        ],
        Resource = aws_kms_key.kms_key.arn
      }
    ]
  })
}

    This will allow only the user that you specify to administer the KMS key. If you want to allow the account root user to administer the key, you can use the following:

    Principal = {
  "AWS" = "arn:aws:iam::<your AWS account ID>:root"
}

    If you have a different identity that needs to administer the key, you can see more examples in the re:Post article.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search