The course is part of these learning pathsSee 4 more
This course explores how to enforce data security measures within the AWS Key Management Service to ensure that the appropriate controls are in place to effectively protect both company and customer data from being accessed by unauthorized parties.
- Understand how you can use Key Policies, IAM policies, and Grants to control access to KMS keys.
- Learn how to create a new KMS Key and edit key policies.
- Learn how a user can delegate temporary permissions to another principal using grants.
Anyone with the responsibility of enforcing data security measures within AWS to ensure that both company and customer data from being accessed by unauthorized parties.
To get the most out of this course, you should have a basic understanding of the AWS Key Management Service and some of the core AWS services. You should also be familiar with the format and syntax of IAM Policies.
Understanding who has access to a KMS key can be a little confusing as there are three potential ways of gaining access to and using a KMS key through the key policy, with IAM policies, and also Grants.
Determining the correct level of access means you need to understand how these access methods all work in conjunction with one another. So let's look at a simple example to ensure we understand some key points. In this scenario, we have three KMS keys, and four users.
Here you can see the KMS keys, users and scenario statements that are applicable to this example.
So we have three KMS Keys: KeyA, KeyB, and KeyC, and we have four Users: Alana, Danny, Carlos, and Jorge.
So the Scenario statements are:
- Key-A key policy enables the use of IAM user permissions to be used to manage access.
- Key-B key policy allows access for Danny and Carlos to perform cryptographic operations. Controlling access via IAM has not been enabled.
- Key-C key policy enables the use of IAM user permissions to be used to manage access. Access is also explicitly denied for Danny, Carlos, but full cryptographic. operations access is given to Alana and Jorge. Jorge also has access to create grants.
- Alana’s IAM policy permissions allows all KMS actions to Key-A and Key-B.
- Danny has no IAM policy permissions.
- Carlos’ IAM policy permissions allows KMS encrypt access to Key-A.
- Jorge’s IAM policy permissions allow all KMS actions to Key-B and Key-C.
So let's now look at each of these users' access to see if they can perform cryptographic operations, starting with Alana.
Alana’s access to Key-A is successful as her IAM policy permissions allows all KMS actions against Key-A and Key-A allows for IAM policies to be used to manage access. Her access to Key-B is denied as the key policy for this Key does not allow for IAM policies to be used. Alana’s access to Key-C is successful as the key policy allows access despite her having no IAM policy related permissions, access is given purely through the key policy.
Now let's take a look at Danny. His access to Key-A is denied as there are no explicit entries in the key policy for Danny’s access and he has no IAM policy permissions associated. His access to Key-B is successful as the key policy allows Danny access despite him having no IAM policy permissions. Danny’s access to Key-C is denied due to explicit deny actions within the key policy. An explicit ‘deny’ will always overrule any other allow.
Now let's look at Carlos’ access. For Key-A, he has ‘encrypt’ access only which is given through his IAM policy permissions, and IAM policy permissions are allowed to be used to manage access. For Key-B, access is also successful as the key policy allows him access. His IAM policy permissions are irrelevant as the key policy does not allow for IAM policies to be used to manage access. And his access to Key-C is denied due to the explicit deny actions within the key policy and an explicit deny will overrule any other allow.
And finally Jorge’s access. He has no access to Key-A as neither the key policy or his IAM policy permissions provides access. He has no access to Key-B as the key policy for this Key does not allow for IAM policies to be used. So despite access being granted at the IAM Policy level for Jorge, the Key policy does not allow for IAM policies to be used and so this is disregarded. Access to Key C is allowed for KMS cryptographic operations in addition to the ability to create grants.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.