I'm trying to create a KSM key to use it in the S3 service, but I get the MalformedPolicyDocument exception. Here is the resource:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Condition" : "EnableEncryption",
"Properties" : {
"Description" : "Client Master Key used to encrypt data",
"Enabled" : true,
"EnableKeyRotation" : true,
"KeyPolicy" :
{
"Version": "2012-10-17",
"Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement":
[{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS":
[
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.eu-west-1.amazonaws.com"
}
}
}]
}
}
},
I don't know where is the error, for me it is all good. Any idea please ?
::EDIT::
This code is giving the same error:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "A sample key",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
}
},
The defined principals do not evaluate into Arns.
The first principal would evaluate to:
"AWS": "arn:aws:iam::11111111moimeco"
A valid ARN for a user would look like this:
"arn:aws:iam::1111111:user/username"
Additionally, you need to include the root user into your principals.
Otherwise, AWS wouldn't let you create the key at all. The reason behind this is described here:
AWS Key policies under "Allows Access to the AWS Account and Enables IAM Policies"