Home / server / Questions / 1084652
Accepted
Gomibushi
Asked: 2021-11-27 03:28:32 +0800 CST

How does a good KMS key policy for AWS Landing Zone (Control Tower) look?

  • 772

I recently "broke" Control Tower by manually adding a KMS key to the Control Tower SNS-topics. This didn't work very well when Control Tower did a check or upgrade on the stacks. I had to remove the key and nudge some stacks to get it in a healthy state, but now the SNS-topics are unencrypted and Security Hub is unhappy.

Previously I deployed an KMS key for use on SNS-topics to all org accounts (one in each), but I now understand that Control Tower can do this for me if I give it a key on creation or modify of Landing Zone. From what I understand this key has to be a single key in the management account and with a policy that allows at least Config and CloudTrail services, but is also available for use in all my accounts.

If someone could please provide me with a template of how that would look I would be very grateful. Please and thank you. :)

amazon-web-services

2 Answers

  1. Best Answer

    I couldn't let this go so I went testing and found the following is likely a good solution.

    Key points I learned:

    • Looks like the services only need "kms:GenerateDataKey"-permissions.
    • Use "StringLike" condition, not "StringEquals" if you want *-wildcard

    This documentation was quite useful. I was not successful in crafting a policy that used "aws:SourceArn" or "aws:SourceAccount", but I did succeed with "kms:EncryptionContext:context".

    Here is my policy, account no's redacted:

    {
    "Version": "2012-10-17",
    "Id": "SNS-KMS-Key",
    "Statement": [
        {
            "Sid": "Key admin in mgmt account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::112211221122:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AWS-services permissions in all accounts",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:ReEncrypt*"
            ],
            "Resource": "*"
        }
    ]
}

    I hope someone finds this useful. Please note that I suspect you could and maybe should use conditions to limit the last statement. Didn't get that to work myself.

    • 1

  2. I was able to get this to work via a combination of the answer above, plus allowing the following AWS Service roles to use the key:

    "arn:aws:iam::112211221122:role/service-role/AWSControlTowerConfigAggregatorRoleForOrganizations",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerStackSetRole",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerAdmin",
"arn:aws:iam::112211221122:role/service-role/AWSControlTowerCloudTrailRole"

    I don't know if all of these are needed or not, I just guessed.

    • 0