Grant usage of default KMS keys to IAM Roles with CloudFormation

3
votes

We have a number of SecureString SSM Parameter Store values created via our bash script automations. These are encrypted with an environment-specific KMS key + Alias created via CloudFormation.

Also in the templates are IAM Roles for our EC2 instances, which need to allow retrieval and decryption of the SSM parameters. To allow this we granted access to those IAM Roles upon KMS key creation by referencing their role ARNs as principles.

However, we have some non-environment-specific SSM variables on our AWS account that persist outside of our environment CloudFormation stacks and are used by all environments.

We have recently adapted those parameters to be encrypted with the default KMS key -- alias/aws/ssm.

This approach causes an issue in regards to automation, as we need to grant usage of the default KMS key to our IAM Roles in CloudFormation. I've read the AWS documentation and cannot figure out a way of doing this.

Has anyone managed to automate this?

1
amazon-web-servicesamazon-cloudformationaws-kms
SecureString SSM Parameter Store values created via CloudFormation. HOW??franklinsijo
Forgive me, our SecureStrings are created via bash in the same script we call the CloudFormation creation from. I've edited the description to reflect this.x3nr0s
Clarifying, your question is about how to set KMS key policy for alias/aws/ssm?franklinsijo
My question if there is a way within CloudFormation that an IAM Role can be given access to decrypt SecureStrings encrypted with the default alias/aws/ssm key, instead of a custom created key.x3nr0s
No, access policies are managed by AWS for such keys.franklinsijo

1 Answers

2
votes

The default KMS key alias/aws/ssm is an AWS managed CMK. We cannot establish IAM policies or KMS key policies for AWS Managed CMKs.

Excerpt from AWS KMS FAQ,

AWS will manage the policies associated with AWS managed CMKs on your behalf. You can track AWS managed keys in your account and all usage is logged in AWS CloudTrail, but you have no direct control over the keys themselves.

You don't have worry about defining IAM roles for accessing alias/aws/ssm key, having access to the required SSM parameter is sufficient.