KMS and S3 bucket

1
votes

  1. I have a bucket with the file in it

  2. I've granted full access to test-user1 (who has AdministratorAccess policy in IAM) through the bucket policy

    "Version": "2012-10-17",
    "Id": "Policy1595762326470",
    "Statement": [
        {
            "Sid": "Stmt1595762736524",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:user/test-user1"
            },
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::test-user1-bucket"
        }
    ]
}

  1. Bucket uses AWS-KMS (CMK encryption) for that bucket and test-user1 is not among the key users list of that сustomer managed key

  2. The Key Policy is below:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:user/kolyaiks_iam"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Can test-user1 download and read the file from the bucket? If yes, why does he can?

2
amazon-web-servicesamazon-s3aws-kms
Have you tried it?Mark B
Yeah, I've tried it, but I can't explain the result of this test. User can download and read file from S3. I expected that user would have the ability to download, but not to read the file, because he isn't in the users list of this Customer Managed Key. What am I missing here?kolyaiks
Post the resource policy of the CMK in your question.Mark B
I've added bucket policy to the question, Mark.kolyaiks
is the file readable when the test user download it?Lamanus

2 Answers

2
votes

When you instruct S3 to use KMS to encrypt an object at rest, S3 will automatically utilize S3 to encrypt the object when it is stored, and to decrypt the object when it is accessed. If the KMS CMK's resource policy allows all IAM users in the account to utilize the key, then any IAM user with access to the S3 bucket can download the objects from S3, and what they receive will be unencrypted. If you lock down access to the CMK, then only users with permission to use the CMK for decryption (in addition to the permissions to access the S3 bucket) can download the object from S3. If a user did not have access to the KMS key the object is encrypted with, then instead of receiving an encrypted object from S3 like you expected, they would actually get an access denied error.

Your initial assumption that the user would be able to download the object from S3, but they would receive an encrypted version of the object, is incorrect because the decryption happens server-side within S3. If you want users to be able to download encrypted versions of files from S3 then you would have to encrypt the file yourself before uploading to S3.

1
votes

It wasn't mentioned during key creation wizard, but among two explicitly setted users types (admin of key and regular user of key), there was default key policy, that enables IAM policies to allow access to the CMK, description of it is here: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

Piece of my default key policy below, as I mentioned earlier:

        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }

So, in case when my user is allowed to use the key to decrypt through the IAM policy, he can get the file.

My user was an Admin with AdministratorAccess policy below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

So, among other actions he implicitly had this one:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1595791311072",
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:us-east-1:xxx:key/eacb823d-79a5-4247-8751-e0e14c0b1d67"
        }
    ]
}

When I removed the user from the Admin group, he lost the privilidge to use the key. So explicit adding "kms:Decrypt" action (with particular key which was used to encrypt the file in S3) to the user in the IAM policy solved the problem, and user was able to get the file again.

Additional information is here: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html