KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager
I've set up a CMK (Custom Managed Key) to encrypt LogGroups with AWS Systems Session Manager:
First, permissions for "key administrators" and "key users/roles" are added in the KMS console.
Next, the CMK is attached in AWS Systems Manager Session Manager Preferences to the LogGroup as shown in this image:
Error:
The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:my_region:my_account_id:log-group:/SSM'
The key must exist because it's used to encrypt the Sessions and is just not decrypting LogGroups properly, but it is linked to the LogGroup and the user has permission. What gives?
I tried to replicate your issue.
My session manger settings:
The CloudWatch log group has been encrypted using CLI:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
After launching the session manger I can get confirmation that it is encrypted:
Based on this verification, the only thing required to make it work was setting KMS key policies. I added the following to my KMS (SSMRole is instance role, the other entries should be self-explenatory):
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}
- Get last modified object from S3 using AWS CLI
- "host not allowed" error when deploying a play framework application to Amazon AWS with Boxfuse
- Is there a way to use PyGithub on AWS Lambda
- Neptune throws Bad handshake error while connecting to a IAM Enabled Neptune Instance
- How to extract files from a zip archive in S3
- How do I use the aws cli to set permissions on files in an S3 bucket?
- Nextflow process running in AWS with docker container can't find program in $PATH, although program is there
- How do I setup and use Laravel Scheduling on AWS Elastic Beanstalk?
- Where does docker store it's temp files during extraction?
- Which is the best way on AWS to set up a CI/CD of a Django app from GitHub?
- Make VPC creation optional
- How to point ApiGateway to a specific Lambda alias
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- Can we setup third Party SSL certificate AWS lightsail loadbalancer
- A proper way to use AWS Redis Cluster with Celery
- How to rollback to previous version in Amazon S3 bucket?
- Why does S3.deleteObject not fail when the specified key doesn't exist?
- I can't delete AWS appconfig configuration and environment
- How to run Anaconda Python on sudo
- `aws ecs execute-command` results in `TargetNotConnectedException` `The execute command failed due to an internal error`
- AWS authorizer returns 500, message: null, with AuthorizerConfigurationException error in response
- Call S3 pre-signed URL with postman
- Terraform error when module has a count on the input that is not yet created
- Is there a way to point my machine's kubectl to a K8s cluster hosted on EC2 Instances?
- MWAA CLI - Stop Dags Execution
- Lambda@Edge not logging on cloudfront request
- User-data scripts is not running on my custom AMI, but working in standard Amazon linux
- Run docker commands in AWS Lambda Function
- Django ALLOWED_HOSTS for Amazon ELB
- CodeDeploy blue/green ECS fargate error: Invalid arn syntax