- Newest
- Most votes
- Most comments
Hello.
We need to restrict the users from decrypting the KMS key, so the easiest and fastest deployment I thought is to add a Deny section for KMS Decrypt API by modifying the AWSAdministratorAccess policy and attach a newly modified customer managed IAM policy.
Yes, if you use the IAM policy you created, "kms:Decrypt" will be denied.
If you want to deny "kms:Decrypt" for the entire AWS account, one way is to use SCP, but since "kms:Decrypt" is sometimes used by AWS services, it is preferable to use IAM. I think it would be better to limit it by policy.
Hi,
I am afraid that this won't work: your users still mostly have the right to do lots of things. In particular to modify IAM policies like the one you created. So, nothing will prevent them to modify your policy above to remove the Deny statement around KMS keys...
You must further sophisticate this policy to deny rights to modify IAM policies. You must at least add something like the following to avoid changes in IAM config by your users:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPolicy",
"iam:PutUserPermissionsBoundary",
"iam:DeleteUserPermissionsBoundary"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Best,
Didier
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago