Implementing Access Policies for Encryption Keys

Encryption keys play a critical role in securing data across AWS services. To ensure proper access control, organizations must define and enforce IAM policies, key policies, and permission boundaries for AWS Key Management Service (KMS) keys.

This study guide covers: ✔ Key Policy vs. IAM Policy for KMS ✔ Defining Access Controls for Encryption Keys ✔ Best Practices for Securing AWS KMS Keys ✔ Common Mistakes & How to Avoid Them ✔ SecureCart Use Case: Protecting Customer Payment Data

🔹 Understanding AWS KMS Access Control

AWS KMS does not rely solely on IAM policies. Instead, it uses a combination of IAM policies, Key Policies, and Grants to enforce access control.

Access Control Type

Purpose

KMS Key Policies

Controls access directly on the key itself (mandatory for all keys).

IAM Policies

Grants users, groups, or roles permission to use KMS keys.

Grants

Provides temporary permissions for specific AWS services (e.g., Lambda, S3).

Service Control Policies (SCPs)

Restricts KMS key usage across multiple AWS accounts.

📌 Important: Key Policies override IAM policies in KMS. If an IAM user has KMS permissions but the Key Policy denies access, the user will not be able to use the key.

🔹 SecureCart Use Case: Protecting Customer Payment Data

SecureCart, an e-commerce platform, needs to encrypt customer credit card transactions stored in Amazon RDS and secure API keys used by third-party vendors.

✅ SecureCart’s Requirements: ✔ Only authorized applications can decrypt credit card transactions. ✔ Developers should not have direct access to encryption keys. ✔ Auditors need read-only access to encryption logs. ✔ Key usage must be tracked and logged for compliance.

🔹 Step-by-Step: Implementing Access Policies for KMS Keys

1️⃣ Create a KMS Key for SecureCart’s Payment Transactions

✅ Steps:

Navigate to AWS KMS → Create Key.
Select Symmetric Key for encryption/decryption.
Define Key Usage (Encrypt & Decrypt).
Add an Alias (e.g., securecart-payment-key).
Configure Key Policy (detailed below).

📌 Why Use KMS? ✔ Meets PCI DSS compliance for securing payment data. ✔ Provides centralized key management with fine-grained access controls. ✔ Integrates with AWS services (S3, RDS, API Gateway).

2️⃣ Define Key Policies for Fine-Grained Access Control

✅ KMS Key Policy for SecureCart:

User/Service

Permission

Justification

SecureCart Lambda Function

kms:Encrypt, kms:Decrypt

Encrypt/decrypt transactions.

Database Admins

kms:DescribeKey, kms:Decrypt

View key details but no modifications.

Auditors

kms:ListKeys, kms:GetKeyPolicy

Compliance reporting (read-only).

Developers

❌ No access

Prevent unauthorized key usage.

📌 Key Policy JSON Excerpt:

jsonCopyEdit{
  "Id": "SecureCartKeyPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:role/securecart-lambda" },
      "Action": ["kms:Encrypt", "kms:Decrypt"],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["kms:DeleteKey"],
      "Resource": "*"
    }
  ]
}

🔹 Why This Matters? ✔ Restricts key deletion. ✔ Allows only SecureCart Lambda to use the key. ✔ Blocks unauthorized access from developers.

3️⃣ Implement IAM Policies for Secure Access

IAM Policies help enforce role-based access control (RBAC) to KMS keys.

✅ Example IAM Policy for SecureCart Auditors (Read-Only Access):

jsonCopyEdit{
  "Effect": "Allow",
  "Action": [
    "kms:ListKeys",
    "kms:GetKeyPolicy",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

🔹 Why Use IAM Policies? ✔ Assigns fine-grained permissions to IAM roles. ✔ Supports least privilege access control.

4️⃣ Use AWS KMS Grants for Temporary Access

Grants provide temporary permissions to AWS services (e.g., Lambda, RDS).

✅ Example: SecureCart Lambda Needs Temporary Access

jsonCopyEdit{
  "Effect": "Allow",
  "Action": [
    "kms:CreateGrant",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": { "kms:GrantConstraintType": "EncryptionContextEquals" }
  }
}

🔹 Why Use Grants? ✔ Limits access duration (reduces risk). ✔ Ideal for short-lived workloads (e.g., API calls).

5️⃣ Enforce Organization-Wide Key Restrictions with SCPs

SecureCart enforces global KMS security policies across all accounts.

✅ Service Control Policy (SCP) Example: ✔ Prevents KMS key deletion across all accounts

jsonCopyEdit{
  "Effect": "Deny",
  "Action": ["kms:ScheduleKeyDeletion"],
  "Resource": "*",
  "Condition": {
    "StringEquals": { "aws:PrincipalOrgID": "o-abc12345" }
  }
}

🔹 Why Use SCPs? ✔ Enforces enterprise-wide security policies. ✔ Prevents accidental key deletion.

🔹 Best Practices for KMS Access Policies

✅ Use IAM Roles Instead of IAM Users – Reduces risk of credential leakage. ✅ Enable Key Rotation – Reduces impact of compromised keys. ✅ Restrict Key Deletion – Prevents accidental data loss. ✅ Use Encryption Context – Ensures keys are used only for specific purposes. ✅ Log Key Usage with CloudTrail – Enables security audits.

🔹 Common Mistakes & How to Avoid Them

Mistake

Impact

Solution

Granting IAM Users Direct KMS Access

Increases security risk

Use IAM roles instead.

Not Configuring Key Policies Properly

Users may be locked out

Always test access policies.

Disabling Key Rotation

Increases risk of key compromise

Enable key rotation for compliance.

Not Logging KMS API Calls

Lack of visibility

Use AWS CloudTrail for tracking.

✅ Summary

✔ Use KMS Key Policies for direct key access control. ✔ Use IAM Policies for role-based access control. ✔ Use Grants for temporary, limited access. ✔ Use SCPs to enforce organization-wide security. ✔ Log all KMS activity with AWS CloudTrail for compliance.

PreviousCompliance NextRotating Encryption Keys and Renewing Certificates

Last updated 24 days ago