While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column:
Did not have IAM permissions to process tags on AWS::KMS::Key resource
The cloudformation stack seems to be created correctly, but I was wondering what I can do to prevent this message from being shown?
I'm using the following Cloudformation template to create a KMS key:
AWSTemplateFormatVersion: "2010-09-09"
Description: "KMS key"
Outputs:
KeyArn:
Value: !Sub "${KmsKey.Arn}"
Resources:
KmsKey:
Properties:
Description: "KMS key"
Enabled: true
EnableKeyRotation: false
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
Type: "AWS::KMS::Key"
KmsKeyAlias:
Properties:
AliasName: "alias/KmsKey"
TargetKeyId: !Ref "KmsKey"
Type: "AWS::KMS::Alias"
The role I use to create the resource allows the following actions:
- Action:
- kms:Create*
- kms:List*
Effect: "Allow"
Resource: "*"
- Action:
- kms:Describe*
- kms:Enable*
- kms:Put*
- kms:Update*
- kms:Get*
- kms:Decrypt
- kms:Encrypt
Effect: "Allow"
Resource:
- "arn:aws:kms:*:*:key/*"
To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies. IAM policies can control access to any AWS KMS operation.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.
To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key ). AWS KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the AWS Key Management Service Developer Guide.
Remove Unnecessary Permissions in Your IAM Policies by Using Service Last Accessed Data. As a security best practice, AWS recommends writing AWS Identity and Access Management (IAM) policies that adhere to the principle of least privilege, which means granting only the permissions required to perform a specific task.
My role was missing the following action:
- kms:TagResource
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With