I'm trying to create a RDS DB and encrypt it using a CMK, is it possible to restrict myself from using this KMS key? to follow GDPR rules
Example: I don't want to be able to decrypt or encrypt, create a snapshot or restore a snapshot from the DB I created.
The key policy I used:
data "aws_iam_policy_document" "kms" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = "${local.arn}"
}
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
]
resources = ["*"]
}
}
what is wrong with the policy above?
If you want to ensure that a particular IAM entity (user, role, or group) does not have permission to use a specific KMS key, you can exclude that key from the resources field in your IAM policy and as well set "Effect" of your statement to "Deny" as adviced in the comment.
Try this
data "aws_iam_policy_document" "kms" {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "${aws_kms_key.your_key.arn}"
},
{
"Effect": "Allow",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
Replace "your_key" with the actual name or ARN of the KMS key you want to exclude.