Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS generates incomplete IAM resource policy #3458

Closed
1 of 5 tasks
yandy-r opened this issue Jul 29, 2019 · 0 comments Β· Fixed by #3459
Closed
1 of 5 tasks

KMS generates incomplete IAM resource policy #3458

yandy-r opened this issue Jul 29, 2019 · 0 comments Β· Fixed by #3459
Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug.

Comments

@yandy-r
Copy link

yandy-r commented Jul 29, 2019
edited
Loading

  • I'm submitting a ...

    • πŸͺ² bug report
    • πŸš€ feature request
    • πŸ“š construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?
    If the current behavior is a πŸͺ²bugπŸͺ²: Please provide the steps to reproduce

When creating a Customer Managed KMS Key the generated resource policy for the account principal is incomplete. At least when it comes to S3 buckets.

Create KMS Key and bucke with KMS enabled

const kmsKey = new kms.Key(this, 'KeyName', {
      enableKeyRotation: true,
      enabled: true,
      removalPolicy: cdk.RemovalPolicy.DESTROY
    });

new s3.Bucket(this, 'MyBucket', {
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: kmsKey,
      removalPolicy: cdk.RemovalPolicy.DESTROY
    });

With this default configuration the key generated is missing an action for to be able to write to S3 buckets (read seems to not be affected). With the cli, sdk or console no create (put or otherwise) on the bucket is allowed.

The error given through the aws cli is "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

The fix according to this AWS support article is to add the following to the actions statement kms:GenerateDataKey.

  • What is the expected behavior (or behavior of feature suggested)?

Expected behaviour is that write operations to S3 buckets should work.

  • What is the work around if any?

The work around is to add the following to the CDK code.

kmsKey.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ['kms:GenerateDataKey'],
        principals: [new iam.AccountPrincipal(cdk.Aws.ACCOUNT_ID)],
        resources: ["*"]
      })
    );

or this, which is more precise

kmsKey.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ['kms:GenerateDataKey'],
        principals: [new iam.AccountRootPrincipal()],
        resources: ['*']
      })
    );

This completes the resource policy and write operations to S3 now work.

  • Please tell us about your environment:

    • CDK CLI Version: 1.2.0
    • Module Version: ?
    • OS: [all]
    • Language: [Typescript ]
@yandy-r yandy-r added the needs-triage This issue or PR still needs to be triaged. label Jul 29, 2019
@yandy-r yandy-r mentioned this issue Jul 29, 2019
Merged
@NGL321 NGL321 added bug This issue is a bug. @aws-cdk/aws-kms Related to AWS Key Management and removed needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2019
eladb pushed a commit that referenced this issue Jul 30, 2019
fix(aws-kms): Incomplete KMS Resource Policy Permissions (#3459)
1280071 
Fixes #3458 where incomplete default resource policy for root account principal was generated and requiring a workaround.

See issue #3458 for the complete reference.
@matdumsa matdumsa mentioned this issue Nov 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-kms): Incomplete KMS Resource Policy Permissions
2 participants
@yandy-r @NGL321