Score:0

How does a good KMS key policy for AWS Landing Zone (Control Tower) look?

ml flag

I recently "broke" Control Tower by manually adding a KMS key to the Control Tower SNS-topics. This didn't work very well when Control Tower did a check or upgrade on the stacks. I had to remove the key and nudge some stacks to get it in a healthy state, but now the SNS-topics are unencrypted and Security Hub is unhappy.

Previously I deployed an KMS key for use on SNS-topics to all org accounts (one in each), but I now understand that Control Tower can do this for me if I give it a key on creation or modify of Landing Zone. From what I understand this key has to be a single key in the management account and with a policy that allows at least Config and CloudTrail services, but is also available for use in all my accounts.

If someone could please provide me with a template of how that would look I would be very grateful. Please and thank you. :)

Tim avatar
gp flag
Tim
It's not really clear what your question is. Can you edit it to remove extraneous detail and focus on current state and problem? Clarifications such as explaining what an "SNS key" is would be useful, you might mean a KMS customer managed key intended for SNS use, for example.
ml flag
@tim Sorry! That was a typo/shorthand. Also: I have experimented a bit with a solution and I think I've got it. I'll answer my own question when I have had the time to verify it.
Massimo avatar
ng flag
I never cease to be amazed by how much obscure can AWS be to a non-AWS-user.
Score:0
jp flag

I was able to get this to work via a combination of the answer above, plus allowing the following AWS Service roles to use the key:

"arn:aws:iam::112211221122:role/service-role/AWSControlTowerConfigAggregatorRoleForOrganizations",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerStackSetRole",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerAdmin",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerCloudTrailRole"

I don't know if all of these are needed or not, I just guessed.

Score:0
ml flag

I couldn't let this go so I went testing and found the following is likely a good solution.

Key points I learned:

  • Looks like the services only need "kms:GenerateDataKey"-permissions.
  • Use "StringLike" condition, not "StringEquals" if you want *-wildcard

This documentation was quite useful. I was not successful in crafting a policy that used "aws:SourceArn" or "aws:SourceAccount", but I did succeed with "kms:EncryptionContext:context".

Here is my policy, account no's redacted:

{
    "Version": "2012-10-17",
    "Id": "SNS-KMS-Key",
    "Statement": [
        {
            "Sid": "Key admin in mgmt account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::112211221122:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AWS-services permissions in all accounts",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:ReEncrypt*"
            ],
            "Resource": "*"
        }
    ]
}

I hope someone finds this useful. Please note that I suspect you could and maybe should use conditions to limit the last statement. Didn't get that to work myself.

Alex avatar
pk flag
I don't see the use of "kms:EncryptionContext:context" in the resource policy example you've posted. How do I know what the value of the context should be? I tried inspecting CloudTrail, but I can't seem to find anything relevant.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.