How can I prevent IAM policies from allowing a user or role to access a KMS key in AWS KMS?

Last updated: 2021-02-17

I want to secure my AWS KMS key from access by AWS Identity and Access Management (IAM) identities (users, groups, and roles). However, the default KMS key policy allows IAM identities in the account to access the KMS key with IAM permissions. How can I prevent this?

Short description

The default KMS key IAM policy contains a statement similar to the following:

{
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
    },
    "Action": "kms:*",
    "Resource": "*"
}

In this example, the Effect and Principal elements don't refer to the AWS root user account. The Amazon Resource Names (ARN) allows permissions to the KMS key with this IAM policy. Any principal in the AWS account 111122223333 has root access to the KMS key if the required AWS Key Management Service (AWS KMS) permissions are attached to the IAM entity.

Resolution

You can prevent IAM entities from accessing the KMS key and allow the root user account to manage the key. This also prevents the root user account from losing access to the KMS key.

Be sure that the KMS key policy contains key administrators in the same account similar to the following:

{
    "Sid": "Allow access for Key Administrators",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:user/KMSAdminUser",
            "arn:aws:iam::111122223333:role/KMSAdminRole"
        ]
    },
    "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
    ],
    "Resource": "*"
}

Replace the KMS key IAM policy Sid with "EnableRootAccessAndPreventPermissionDelegation", and add a Condition element similar to the following:

Important: Replace the account 111122223333 with your account number, and be sure that the condition key aws:PrincipalType is set to Account.

{
    "Sid": "EnableRootAccessAndPreventPermissionDelegation",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
    },
    "Action": "kms:*",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:PrincipalType": "Account"
        }
    }
}

Only the account root user and IAM entities listed in the administrators section of the KMS key policy can manage the key.


Did this article help?


Do you need billing or technical support?