How can I prevent IAM policies from allowing a user or role to access a CMK in AWS KMS?

Last updated: 2021-02-17

I want to secure my customer master key (CMK) from access by AWS Identity and Access Management (IAM) identities (users, groups, and roles). However, the default CMK policy allows IAM identities in the account to access the CMK with IAM permissions. How can I prevent this?

Short description

The default CMK IAM policy contains a statement similar to the following:

{
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
    },
    "Action": "kms:*",
    "Resource": "*"
}

In this example, the Effect and Principal elements don't refer to the AWS root user account. The Amazon Resource Names (ARN) allows permissions to the CMK with this IAM policy. Any principal in the AWS account 111122223333 has root access to the CMK if the required AWS Key Management Service (AWS KMS) permissions are attached to the IAM entity.

Resolution

You can prevent IAM entities from accessing the CMK and allow the root user account to manage the CMK. This also prevents the root user account from losing access to the CMK.

Be sure that the CMK policy contains key administrators in the same account similar to the following:

{
    "Sid": "Allow access for Key Administrators",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:user/KMSAdminUser",
            "arn:aws:iam::111122223333:role/KMSAdminRole"
        ]
    },
    "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
    ],
    "Resource": "*"
}

Replace the CMK IAM policy Sid with "EnableRootAccessAndPreventPermissionDelegation", and add a Condition element similar to the following:

Important: Replace the account 111122223333 with your account number, and be sure that the condition key aws:PrincipalType is set to Account.

{
    "Sid": "EnableRootAccessAndPreventPermissionDelegation",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
    },
    "Action": "kms:*",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:PrincipalType": "Account"
        }
    }
}

Only the account root user and IAM entities listed in the administrators section of the CMK policy can manage the key.


Did this article help?


Do you need billing or technical support?