A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account. What does the statement allow?
A.
All principals from all AWS accounts to use the key.
B.
Only the root user from account 111122223333 to use the key.
C.
All principals from account 111122223333 to use the key but only on Amazon S3.
D.
Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.
Answer is D
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS CMKs.
The following example shows the policy statement that allows access to the AWS account and thereby enables IAM policies.
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
"Essentially what this is saying is 'allow the principal root'. So when people first see this they normally assume that this is the root user. It is not the root user.
What this is actually doing is delegating permission to IAM. And in fact this statement here is delegating all KMS actions to IAM.
So that means any IAM user or principal within the account (so if you have another IAM user a role that also has a KMS star policy) to this key they are full admin. They will be able to perform any option that they want against this key.
So don't confuse that 'root' in this statement for the root user, but we only think of this statement as allowing IEM to further delegate permission."
Principal: This specifies the AWS account (111122223333) allowed to access the KMS key. In this case, the "root" principal represents all IAM users and roles within that AWS account.
The following default key policy statement is critical.
It gives the AWS account that owns the KMS key full access to the KMS key.
Unlike other AWS resource policies, a AWS KMS key policy does not automatically give permission to the account or any of its users. To give permission to account administrators, the key policy must include an explicit statement that provides this permission, like this one.
It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
Without this permission, IAM policies that allow access to the key are ineffective, although IAM policies that deny access to the key are still effective.
It reduces the risk of the key becoming unmanageable by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
D, for sure.
AWS doc, Example key policy
Allows the AWS account (root user) 111122223333 full access to the CMK, and thus enables IAM policies in the account to allow access to the CMK.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Skywalker2
Highly Voted 3 years agoDenis_H
Highly Voted 3 years agoSoukelezArtibuz
3 years agoshammous
Most Recent 2 weeks, 1 day agoa1234321606
2 weeks, 3 days agoBjordan
1 year, 4 months agoOCHT
1 year, 5 months agoep007
1 year, 8 months agojishrajesh
1 year, 10 months agosapien45
2 years, 2 months agokiev
3 years agohk436
3 years agoShakthiVinu
3 years agosanjaym
3 years agoDic
3 years ago[Removed]
3 years, 1 month agogfhbox0083
3 years, 1 month agopatand
3 years, 1 month ago