By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS IAM Policy modification

0

Hi AWS, the IAM users in our AWS accounts are mostly having AWS managed policy AWSAdministratorAccess attached to it which allows it to access all the AWS services and performs most of the read/write action if not every. We need to restrict the users from decrypting the KMS key, so the easiest and fastest deployment I thought is to add a Deny section for KMS Decrypt API by modifying the AWSAdministratorAccess policy and attach a newly modified customer managed IAM policy. Here is the code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AdministratorAccess",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    },
    {
      "Sid": "DenyKMSDecryptAccess",
      "Effect": "Deny",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

Please acknowledge and confirm if it is the right way of doing the things or is there a better way like using an SCP etcetera. Also confirm if I use this policy will it going to work or not?

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
profile picture
arglaws1995
asked a month ago168 views
2 Answers
1

Hello.

We need to restrict the users from decrypting the KMS key, so the easiest and fastest deployment I thought is to add a Deny section for KMS Decrypt API by modifying the AWSAdministratorAccess policy and attach a newly modified customer managed IAM policy.

Yes, if you use the IAM policy you created, "kms:Decrypt" will be denied.
If you want to deny "kms:Decrypt" for the entire AWS account, one way is to use SCP, but since "kms:Decrypt" is sometimes used by AWS services, it is preferable to use IAM. I think it would be better to limit it by policy.

profile picture
EXPERT
Riku_Kobayashi
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
0

Hi,

I am afraid that this won't work: your users still mostly have the right to do lots of things. In particular to modify IAM policies like the one you created. So, nothing will prevent them to modify your policy above to remove the Deny statement around KMS keys...

You must further sophisticate this policy to deny rights to modify IAM policies. You must at least add something like the following to avoid changes in IAM config by your users:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:AttachRolePolicy",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AttachUserPolicy",
                "iam:DeleteUserPolicy",
                "iam:DetachUserPolicy",
                "iam:PutUserPolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:DeleteUserPermissionsBoundary"
            ],
            "Effect": "Deny",
            "Resource":  "*"
        }
    ]
}

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered a month ago
profile picture
EXPERT
Sandeep
reviewed a month ago

Relevant content