{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDecryptForDevKey",
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:RequestAlias": "dev"
}
}
},
{
"Sid": "AllowDecryptIfNotDevKey",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:RequestAlias": "dev"
}
}
},
{
"Sid": "GetSSMParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
}
but when i'm trying to create it in the UI, these are the following permissions it shows that are defined in the policy.
| Explicit deny (1 of 402 services) |
|------------------------------------|
| Service | Access level | Resource | Request condition |
|--------------|--------------|----------------|---------------------------|
| KMS | Limited: Write | All resources | kms:RequestAlias = dev |
| Allow (1 of 402 services) |
|-----------------------------------|
| Service | Access level | Resource | Request condition |
|------------------|--------------|----------------|-------------------|
| KMS | Limited: Write | All resources | kms:RequestAlias !== dev |
| Systems Manager | Limited: Read | All resources | None |
This is how i am testing it :
* Create a parameter with type SecureString and encrypt it with key dev
* Create another parameter with type SecureString and encrypt it with key that is not dev.
* Create a Role. testing-role with Trusted entity type as AWS account.
* Create an IAM policy with the above permissions and attach to the role.
* Switch role from the UI inputting the name of the role i.e. testing-role that i created as well as the AWS account ID.
* After switching to the role, go to the parameters that were created and try to view the value by toggling Show decrypted value
But somehow I'm still able to decrypt any secrets encrypted by dev key. Thank you.
0 comments:
Post a Comment
Thanks