I'm using my AWS KMS CMK to encrypt and AWS SecretsManager Secret, but my coworker can see the secret value!!
- My policy on my KMS CMK says only I can do
kms:Decrypt
. - My coworker (who does not have those permissions on my CMK), is able to...
- Open the AWS Console to SecretsManager >>>
- Click
Retrieve Secret Value
>>> - And see my secret value!
Any idea why?
Technical Details:
I'm using AWS SAM CLI to deploy this.
Here's my AWS SAM template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
SecretValue:
Type: String
KmsCmkId:
Type: String
Resources:
MySecret:
Type: AWS::SecretsManager::Secret
Properties:
SecretString:
Ref: SecretValue
KmsKeyId: !Ref KmsCmkId
I build and deploy it with this:
sam build ; sam deploy --guided --parameter-overrides SecretValue=ABC KmsCmkId=REDACTED
My Debugging To-Date:
I searched
serverfault.com
and essentially got no results. I searched Stack Overflow and found only one post, which seems to be related, but the problem is not articulated, and the solution is not what's going on in my case: AWS KMS CMK encrypt and decrypt with symmetric and asymmetricI'm using a symmetric CMK because SecretsManager requires it. (SecretsManager does not allow use of asymmetric CMKs to encrypt secret values).
I confirmed that clicking the
Retrieve Secret Value
button in the AWS SecretsManager console indeed performs an API call with asecretsmanager:GetSecretValue
.AWS says
secretsmanager:GetSecretValue
should only work if the caller also haskms:Decrypt
on the CMK that was used to encrypt the secret (which makes sense). (See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html)I confirmed that my symmetric KMS CMK is indeed the CMK being used to encrypt the secret.
My coworker is NOT logged into AWS as the root account. He's logged in as his account. He happens to have a ton of permissions because he's an admin, but I see no reason why that should allow him to use my CMK.
If you're curious why my coworker has KMS actions for key admins, it's because he's our system admin.
The policy on my KMS CMK was auto-generated by the nice wizard you go through in the AWS Console when you create a CMK.
Note: Be careful not to confuse
kms:Get*
operations withsecretsmanager:Get*
operations.Here's the policy on my KMS CMK:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::REDACTED:user/MY_COWORKER"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/ME"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/ME"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
*
permissions on every service? For example, can they access other KMS keys? If so, then they have another policy that is granting them KMS permissions. You would probably need to add aDeny
section to the KMS CMK to prevent other people from using it. – John Rotenstein