# Implementing Access Policies for Encryption Keys

Encryption keys play a **critical role in securing data** across AWS services. To ensure **proper access control**, organizations must define and enforce **IAM policies, key policies, and permission boundaries** for **AWS Key Management Service (KMS) keys**.

This study guide covers:\
✔ **Key Policy vs. IAM Policy for KMS**\
✔ **Defining Access Controls for Encryption Keys**\
✔ **Best Practices for Securing AWS KMS Keys**\
✔ **Common Mistakes & How to Avoid Them**\
✔ **SecureCart Use Case: Protecting Customer Payment Data**

***

### **🔹 Understanding AWS KMS Access Control**

AWS KMS **does not rely solely on IAM policies**. Instead, it uses a **combination of IAM policies, Key Policies, and Grants** to enforce access control.

| **Access Control Type**             | **Purpose**                                                                      |
| ----------------------------------- | -------------------------------------------------------------------------------- |
| **KMS Key Policies**                | Controls access **directly on the key itself** (mandatory for all keys).         |
| **IAM Policies**                    | Grants users, groups, or roles permission to **use KMS keys**.                   |
| **Grants**                          | Provides **temporary permissions** for specific AWS services (e.g., Lambda, S3). |
| **Service Control Policies (SCPs)** | Restricts KMS key usage across multiple AWS accounts.                            |

**📌 Important:** Key Policies **override IAM policies** in KMS. If an IAM user has KMS permissions **but the Key Policy denies access**, the user **will not** be able to use the key.

***

### **🔹 SecureCart Use Case: Protecting Customer Payment Data**

SecureCart, an **e-commerce platform**, needs to **encrypt customer credit card transactions** stored in Amazon RDS and **secure API keys** used by third-party vendors.

**✅ SecureCart’s Requirements:**\
✔ Only **authorized applications** can decrypt credit card transactions.\
✔ **Developers should not have direct access** to encryption keys.\
✔ **Auditors need read-only access** to encryption logs.\
✔ Key usage must be **tracked and logged** for compliance.

***

### **🔹 Step-by-Step: Implementing Access Policies for KMS Keys**

#### **1️⃣ Create a KMS Key for SecureCart’s Payment Transactions**

✅ **Steps:**

1. Navigate to **AWS KMS** → **Create Key**.
2. Select **Symmetric Key** for encryption/decryption.
3. Define **Key Usage** (Encrypt & Decrypt).
4. Add an **Alias** (e.g., `securecart-payment-key`).
5. Configure **Key Policy** (detailed below).

**📌 Why Use KMS?**\
✔ **Meets PCI DSS compliance** for securing payment data.\
✔ **Provides centralized key management** with fine-grained access controls.\
✔ **Integrates with AWS services** (S3, RDS, API Gateway).

***

#### **2️⃣ Define Key Policies for Fine-Grained Access Control**

✅ **KMS Key Policy for SecureCart:**

| **User/Service**               | **Permission**                     | **Justification**                      |
| ------------------------------ | ---------------------------------- | -------------------------------------- |
| **SecureCart Lambda Function** | `kms:Encrypt`, `kms:Decrypt`       | Encrypt/decrypt transactions.          |
| **Database Admins**            | `kms:DescribeKey`, `kms:Decrypt`   | View key details but no modifications. |
| **Auditors**                   | `kms:ListKeys`, `kms:GetKeyPolicy` | Compliance reporting (read-only).      |
| **Developers**                 | ❌ No access                        | Prevent unauthorized key usage.        |

**📌 Key Policy JSON Excerpt:**

```json
jsonCopyEdit{
  "Id": "SecureCartKeyPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:role/securecart-lambda" },
      "Action": ["kms:Encrypt", "kms:Decrypt"],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["kms:DeleteKey"],
      "Resource": "*"
    }
  ]
}
```

**🔹 Why This Matters?**\
✔ Restricts key deletion.\
✔ Allows only **SecureCart Lambda** to use the key.\
✔ Blocks unauthorized access from developers.

***

#### **3️⃣ Implement IAM Policies for Secure Access**

IAM Policies help enforce **role-based access control (RBAC)** to KMS keys.

✅ **Example IAM Policy for SecureCart Auditors (Read-Only Access):**

```json
jsonCopyEdit{
  "Effect": "Allow",
  "Action": [
    "kms:ListKeys",
    "kms:GetKeyPolicy",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
```

**🔹 Why Use IAM Policies?**\
✔ Assigns **fine-grained permissions** to IAM roles.\
✔ Supports **least privilege access control**.

***

#### **4️⃣ Use AWS KMS Grants for Temporary Access**

Grants **provide temporary permissions** to AWS services (e.g., Lambda, RDS).

**✅ Example: SecureCart Lambda Needs Temporary Access**

```json
jsonCopyEdit{
  "Effect": "Allow",
  "Action": [
    "kms:CreateGrant",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": { "kms:GrantConstraintType": "EncryptionContextEquals" }
  }
}
```

**🔹 Why Use Grants?**\
✔ **Limits access duration** (reduces risk).\
✔ Ideal for **short-lived workloads** (e.g., API calls).

***

#### **5️⃣ Enforce Organization-Wide Key Restrictions with SCPs**

SecureCart enforces **global KMS security policies** across all accounts.

✅ **Service Control Policy (SCP) Example:**\
✔ **Prevents KMS key deletion across all accounts**

```json
jsonCopyEdit{
  "Effect": "Deny",
  "Action": ["kms:ScheduleKeyDeletion"],
  "Resource": "*",
  "Condition": {
    "StringEquals": { "aws:PrincipalOrgID": "o-abc12345" }
  }
}
```

**🔹 Why Use SCPs?**\
✔ Enforces **enterprise-wide security policies**.\
✔ Prevents **accidental key deletion**.

***

### **🔹 Best Practices for KMS Access Policies**

✅ **Use IAM Roles Instead of IAM Users** – Reduces risk of credential leakage.\
✅ **Enable Key Rotation** – Reduces impact of compromised keys.\
✅ **Restrict Key Deletion** – Prevents accidental data loss.\
✅ **Use Encryption Context** – Ensures keys are used only for specific purposes.\
✅ **Log Key Usage with CloudTrail** – Enables security audits.

***

### **🔹 Common Mistakes & How to Avoid Them**

| **Mistake**                               | **Impact**                       | **Solution**                        |
| ----------------------------------------- | -------------------------------- | ----------------------------------- |
| **Granting IAM Users Direct KMS Access**  | Increases security risk          | Use IAM roles instead.              |
| **Not Configuring Key Policies Properly** | Users may be locked out          | Always test access policies.        |
| **Disabling Key Rotation**                | Increases risk of key compromise | Enable key rotation for compliance. |
| **Not Logging KMS API Calls**             | Lack of visibility               | Use AWS CloudTrail for tracking.    |

***

### **✅ Summary**

✔ **Use KMS Key Policies** for direct key access control.\
✔ **Use IAM Policies** for role-based access control.\
✔ **Use Grants** for temporary, limited access.\
✔ **Use SCPs** to enforce organization-wide security.\
✔ **Log all KMS activity with AWS CloudTrail** for compliance.