AWS KMS CMK encrypt and decrypt with symmetric and asymmetric

1
votes

I have symmetric KMS keys which I'm using to encrypt a string:

client = session.client('kms')
ciphertext = client.encrypt(
    KeyId=abcde-sdfjfsdfsdf-sdfsdf,
    Plaintext=bytes('Once upon a time. I want to encrypt this),
)

I have this encrypted string hanging out in github. However, I noticed that technically, anyone can get the encrypted string and decrypt it because the metadata is inside that string. I know this because I can do an aws configure and point to a totally different aws account and I can run the decrypt just fine. If this can happen, why even use asymmetric. Is it only meant for encrypted strings that stay in the aws account? In my scenario, would it be better to use asymmetric?

1
pythonamazon-web-servicesboto3encryption-symmetricamazon-kms
What do you mean anyone can decrypt it? Only those that are specified in your KMS key policy can use your KMS key.Marcin
No. This is the scenario. I'm sitting on my command line and I encrypt a string similar to the above. I get a response of "AQ.......". I do an aws configure and switch to a totally different AWS account. Then I run the aws kms decrypt and pass that "AQ...." string. It decrypted fine.. How? I switched AWS accounts so isn't the assumption that the metadata that points to my CMK when I encrypted it is not available because I did an aws configure to another aws account?Jimmy Chen
I shound't not work like this, as you pointed out, it does not make sense to have KMS. You must be doing something wrong in your test. Otherwise, please update the question with exact steps and commands to reproduce the issue.Marcin
Actually i resolved this. It was the aws user that I was using which had access to both accounts. Appreciate everyone's response.Jimmy Chen
Thanks for letting me know. If you don't mind, I will provide a short answer.Marcin

1 Answers

0
votes

Based on the comments.

KMS worked as expected. The issue was that a user who has access to both accounts was using KMS, which seem as if two different accounts can use KMS without any permissions.