Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation

While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column:

Did not have IAM permissions to process tags on AWS::KMS::Key resource

The cloudformation stack seems to be created correctly, but I was wondering what I can do to prevent this message from being shown?

I'm using the following Cloudformation template to create a KMS key:

AWSTemplateFormatVersion: "2010-09-09"
Description: "KMS key"
Outputs:
  KeyArn:
    Value: !Sub "${KmsKey.Arn}"
Resources:
  KmsKey:
    Properties:
      Description: "KMS key"
      Enabled: true
      EnableKeyRotation: false
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal: 
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"          
    Type: "AWS::KMS::Key"
  KmsKeyAlias:    
    Properties:
      AliasName: "alias/KmsKey"
      TargetKeyId: !Ref "KmsKey"
    Type: "AWS::KMS::Alias"

The role I use to create the resource allows the following actions:

- Action:
    - kms:Create*
    - kms:List*
  Effect: "Allow"
  Resource: "*"
- Action:
    - kms:Describe*
    - kms:Enable*
    - kms:Put*
    - kms:Update*
    - kms:Get*
    - kms:Decrypt
    - kms:Encrypt
  Effect: "Allow"
  Resource:
    - "arn:aws:kms:*:*:key/*"
like image 348
Nic Avatar asked Feb 23 '18 03:02

Nic


People also ask

How do you give IAM role access to KMS key?

To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies. IAM policies can control access to any AWS KMS operation.

How do I give IAM permissions in AWS?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.

How do I use KMS key in Cloudformation?

To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key ). AWS KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the AWS Key Management Service Developer Guide.

Which feature of AWS Amazon Web Service IAM enables you to identify unnecessary permissions that have been assigned to users?

Remove Unnecessary Permissions in Your IAM Policies by Using Service Last Accessed Data. As a security best practice, AWS recommends writing AWS Identity and Access Management (IAM) policies that adhere to the principle of least privilege, which means granting only the permissions required to perform a specific task.


1 Answers

My role was missing the following action:

- kms:TagResource
like image 150
Nic Avatar answered Nov 03 '22 20:11

Nic