Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation

Tags:

amazon-web-services

amazon-iam

amazon-cloudformation

amazon-kms

While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column:

Did not have IAM permissions to process tags on AWS::KMS::Key resource

The cloudformation stack seems to be created correctly, but I was wondering what I can do to prevent this message from being shown?

I'm using the following Cloudformation template to create a KMS key:

AWSTemplateFormatVersion: "2010-09-09"
Description: "KMS key"
Outputs:
  KeyArn:
    Value: !Sub "${KmsKey.Arn}"
Resources:
  KmsKey:
    Properties:
      Description: "KMS key"
      Enabled: true
      EnableKeyRotation: false
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal: 
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"          
    Type: "AWS::KMS::Key"
  KmsKeyAlias:    
    Properties:
      AliasName: "alias/KmsKey"
      TargetKeyId: !Ref "KmsKey"
    Type: "AWS::KMS::Alias"

The role I use to create the resource allows the following actions:

- Action:
    - kms:Create*
    - kms:List*
  Effect: "Allow"
  Resource: "*"
- Action:
    - kms:Describe*
    - kms:Enable*
    - kms:Put*
    - kms:Update*
    - kms:Get*
    - kms:Decrypt
    - kms:Encrypt
  Effect: "Allow"
  Resource:
    - "arn:aws:kms:*:*:key/*"
like image 348
Nic Avatar asked Feb 23 '18 03:02

Nic

People also ask

How do you give IAM role access to KMS key?

To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies. IAM policies can control access to any AWS KMS operation.

How do I give IAM permissions in AWS?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.

How do I use KMS key in Cloudformation?

To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key ). AWS KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the AWS Key Management Service Developer Guide.

Which feature of AWS Amazon Web Service IAM enables you to identify unnecessary permissions that have been assigned to users?

Remove Unnecessary Permissions in Your IAM Policies by Using Service Last Accessed Data. As a security best practice, AWS recommends writing AWS Identity and Access Management (IAM) policies that adhere to the principle of least privilege, which means granting only the permissions required to perform a specific task.

1 Answers

My role was missing the following action:

- kms:TagResource
like image 150
Nic Avatar answered Nov 03 '22 20:11

Nic
Sign in to Comment

Related questions

CloudFormation -- possible to have nested Mappings?
How can I import LambdaContext?
Connecting to AWS Postgres Instance For Django Backend
Can we filter messages from Amazon SQS queue by message attributes?
Why are "weird" TCP ports required for my AWS ECS app to pull from ECR?
Integrate existing AWS Cognito user pool into iOS project with Amplify
When I get 'services has reached steady state', in Amazon ECS does it means some tasks had stopped?
How to scale MongoDB?
AWS - Configuring access to EC2 instance from Beanstalk App
Amazon SNS -> SQS message body
AWS Security Groups - EC2 to RDS
Flask web app not responding to external requests on EC2
Dynamodb: Querying tables with secondary index
How can access AWS RDS by CLI / PUTTY?
How I install specific fonts on my AWS EC2 instance?
How AWS Lambda container reuse works?
AWS Cognito User Authentication
Multiple IP addresses for Resource Record Sets of Route 53
aws snapshot to new db
AWS API Gateway with static IP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!