The Best Way To Provide KMS Permissions In AWS

Photo by Markus Winkler on Unsplash

If you actively monitor your security hub score, chances are that you know about how tricky things can get.

Recently a new check for encrypting SNS topics at rest was added to security hub. As a result, I faced some strange issues.

I followed these steps to resolve the broken notifications but this led to me failing another security check.

Chances are that you’ll fail KMS.1 or KMS.2 of AWS foundational best practices if you follow the approach above.


Because you are giving permissions to wildcard (*) for KMS actions!

The first approach that came to my mind was to add an inline policy to the role with the specific KMS key’s ARN mentioned in the resource section of the policy.

But wait! What if I need to add these permissions to some other role?

Well, in that case I’ll need to create another inline policy for it.

So this definitely was not the answer. Then what? How about a customer managed policy having the permissions rather than an inline policy?

In this case too, I might face issues as the policy had more than 1 permission and it can thus violate the rule of least privileges if I reuse it.

Then how can we allow KMS permissions ensuring that those could be reused?

I create a separate managed policy only for decrypt permissions and named it appropriately and similarly I created a policy for all the KMS permissions that I was providing.

The benefits?

I can now reuse the individual policies for individual permissions and keys without violating the principle of least privileges!

DevOps | Creator | Learner

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Dynamic Malware Analysis on Emotet: The Banking Trojan

How to set up the firewall on your PC or Mac

5 Tips to Prepare All Your Devices and Data for Power Failure

Who is Ahmet Göker?

Securing the Cloud: Best Practices for Securing your Data on the Cloud

How to find a forgotten wifi password?

Article of the Day: Excellent Cyber Threat Intelligence Primer

The difference between data privacy and security and how to maintain both when using cloud storage.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anirudh Duggal

Anirudh Duggal

DevOps | Creator | Learner

More from Medium

Getting payment data out of Shopify using Orderwave

Orderwave payment data listing screen.

My Proofpoint Internship Experience: Working on AWS Cost Optimization

Managing Cloud-Hub and RTF API’s using Anypoint API

Hello World: Welcome to the Fidel API Technology Blog