KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager
I've set up a CMK (Custom Managed Key) to encrypt LogGroups with AWS Systems Session Manager:
First, permissions for "key administrators" and "key users/roles" are added in the KMS console.
Next, the CMK is attached in AWS Systems Manager Session Manager Preferences to the LogGroup as shown in this image:
Error:
The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:my_region:my_account_id:log-group:/SSM'
The key must exist because it's used to encrypt the Sessions and is just not decrypting LogGroups properly, but it is linked to the LogGroup and the user has permission. What gives?
I tried to replicate your issue.
My session manger settings:
The CloudWatch log group has been encrypted using CLI:
{
"logGroups": [
{
"logGroupName": "SSM",
"creationTime": 1593579430258,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM:*",
"storedBytes": 0,
"kmsKeyId": "arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxx-9500-xxxxx"
}
]
}
After launching the session manger I can get confirmation that it is encrypted:
Based on this verification, the only thing required to make it work was setting KMS key policies. I added the following to my KMS (SSMRole is instance role, the other entries should be self-explenatory):
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:xxxxx:log-group:SSM"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/SSMRole"
}
}
- Amazon SES cannot find DNS Records for "custom MAIL FROM domain" (after some time)
- How to make inference to a keras model hosted on AWS SageMaker via AWS Lambda function?
- How to deploy a Pre-Trained model using AWS SageMaker Notebook Instance?
- AWS sts assume role in one command
- How to connect AWS Elasticache Redis cluster to Spring Boot app?
- AWS elastic Beanstalk / nginx : connect() failed (111: Connection refused
- AWS ECS exec /usr/local/bin/docker-entrypoint.sh: exec format error
- How can I delete folder on S3 with Node.js?
- Enable caching for url query parameters in aws api gateway with terraform
- AWS IAM role principal vs role session principal
- Setting directory owner and permission with appspec.yml through Amazon Web Service CodeDeploy
- How to update multiple items in a DynamoDB table at once
- https on S3 WITHOUT cloudfront possible?
- How to query Views in Athena in a AWS Glue ETL job
- AWS glue to extract json referenced by id
- Unable to delete AWS VPC Endpoint
- Amazon textextract I can't find trp module
- Can't find AWS Lightsail permissions policy for my IAM user
- How to query dynamoDB based on key + attribute?
- AWS Bedrock RAG - Unable to sync data source in a knowledge base
- How to duplicate a Redshift table schema?
- SpringBoot + AWS cognito, can't resolve issuerUri
- image failed to show when Upload from Lambda
- How to use dynamoose in AWS AppSync JS resolver?
- How message from AWS DLQ gets deleted?
- Template format error: unsupported structure seen in AWS CloudFormation
- AWS InvalidSignatureException, Signature expired when running from docker container
- AWS Glue - o109.pyWriteDynamicFrame. ERROR: relation "xyz" already exists
- AWS - NoCredentialsError: Unable to locate credentials
- Amazon Athena CREATE EXTERNAL TABLE mismatched input 'external' invalidrequestexception