This code repo demonstrates the usage of KMS grants.
There are two scenarios in this repository:
- In conjunction with S3. To reduce costs with SSE-KMS we'll be using Amazon S3 Buckets Keys.
- Hands-on using AWS CLI to
Create
,Retire
, andRevoke
grants.
Grants can take up to 5 minutes to achieve eventual consistency. For immediate use, it's necessary to use a grant token.
ℹ️ Additional info about grants
A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations.Grants are commonly used by AWS services that integrate with AWS KMS to encrypt your data at rest. The service creates a grant on behalf of a user in the account, uses its permissions, and retires the grant as soon as its task is complete.
Create the infrastructure:
terraform init
terraform apply -auto-approve
This will create the required demonstration resources.
Check the KMS key permission statement for IAM user John
, which should be the following:
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:user/John"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-east-2.amazonaws.com",
"rds.us-east-2.amazonaws.com",
"s3.us-east-2.amazonaws.com"
]
}
}
}
IAM user John
has no other permissions other than IAM Readonly
for ease of development.
This section implements this hands-on video steps.
The following resources will be configured for this hands-on:
- IAM users:
AdminPrin
,RetirePrin
, andGranteePrin
- KMS Key
- EC2 instance with the AWS CLI installed
AdminPrin
will be granted administrator privileges to the KMS key⚠️ AdminPrin
will be grantedAdministratorAccess
Connect to the EC2 instance and set up the AdminPrin
user:
aws configure
Now create the grants for the exercise.
ℹ️ Note: Copy the Grant Token and Grant ID
Create a grant providing the Grantee Principal the ability to generate a data key:
aws kms create-grant \
--key-id <<KEY ID>> \
--grantee-principal <<ARN of GranteePrin>> \
--operations GenerateDataKey \
--retiring-principal <<ARN of RetirePrin>> \
--constraints EncryptionContextSubset={Department=IT}
Create a grant providing the Grantee Principal the ability to decrypt:
aws kms create-grant \
--key-id <<KEY ID>> \
--grantee-principal <<ARN of GranteePrin>> \
--operations Decrypt \
--retiring-principal <<ARN of RetirePrin>> \
--constraints EncryptionContextSubset={Department=Finance}
Configure GranteePrin
:
aws configure
Generate a Data Key:
💡 Note: If eventual consistency is not achieved yet, you can add
--grant-token <<GRANT TOKEN>>
aws kms generate-data-key \
--key-id <<KEY ID>> \
--key-spec AES_256 \
--encryption-context Department=IT
Configure RetirePrin
:
aws configure
Retire the grant:
aws kms retire-grant --key-id <<KEY ARN>> --grant-token <<GRANT-TOKEN>>
Configure AdminPrin
again:
aws configure
List the existing grants:
aws kms list-grants --key-id <<KEY ARN>>
Revoke the Decrypt
grant:
aws kms revoke-grant --key-id <<KEY ARN>> --grant-id <<GRANT ID>>
Destroy the resources:
terraform destroy -auto-approve