[kms] overiding policy default statement
See original GitHub issueSetting a KMS policy parameter add a statement to the default policy instead of overriding the whole policy.
Reproduction Steps
aws_kms.Key(
self, 'mykey',
policy = aws_iam.PolicyDocument(
statements = [
aws_iam.PolicyStatement(
effect = aws_iam.Effect('ALLOW'),
actions = [ 'kms:*' ],
principals = [ aws_iam.ArnPrincipal('arn:aws:iam::xxxxxxxxxx:root') ]
)
]
)
)
What did you expect to happen?
I was expecting the new KMS policy to be exactly what i set in the policy parameter :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:root"
},
"Action": "kms:*"
}
]
}
What actually happened?
Instead it was added as a new statement along the default one.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:root"
},
"Action": "kms:*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:root"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:GenerateDataKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
}
]
}
Environment
- CLI Version : (cdk --version) 1.64.1
- Framework Version: (pip3 list | grep aws-cdk.aws-kms) 1.64.1
- Node.js Version: (node -v) v10.16.3
- **OS : ** (uname -r) 4.14.146-93.123.amzn1.x86_64
- Language (Version): (python --version) Python 3.6.8
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Default key policy - AWS Key Management Service
This default key policy has one policy statement that gives the AWS account that owns the KMS key permission to use IAM policies...
Read more >put-key-policy — AWS CLI 2.9.9 Command Reference - kms
Attaches a key policy to the specified KMS key. ... Override command's default URL with the given URL. --no-verify-ssl (boolean). By default, the...
Read more >Required Amazon KMS key policy for use with encrypted ...
The console's default view policy statements include permissions to perform Amazon KMS Revoke operations on the customer managed key. If you give an...
Read more >Enforce S3 Object Encryption on upload - AWS Workshop Studio
The default bucket encryption doesn't override the encryption settings specified ... You need to add a statement to the bucket policy that will...
Read more >A KMS key is not configured to auto-rotate. - Aqua Security
Default Severity: medium. Explanation. You should configure your KMS keys to auto rotate to maintain security and defend against compromise.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@pproux - That’s exactly what the fix (released in v1.78.0) enables. Default policies will not be added if you provide a policy, if the ‘@aws-cdk/aws-kms:defaultKeyPolicies’ feature flag is set. The flag will be enabled by default for all new CDK projects, or can be manually enabled for existing projects.
Related to #8977 (possibly a complete dupe of it). I’ll keep this one open for now.