Hi am trying to write a kms key policy where only a particular lambda function is allowed to encrypt or decrypt kms key not any other person, not even IAM user. Current key policy is like
{
"Version": "2012-10-17",
"Id": keyName,
"Statement": [
{
"Sid": "AllowLambda",
"Effect": "Allow",
"Principal": {
"AWS": roleArn
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": userArn // Replace with the AWS account ID that owns the key
},
"Action": "kms:*",
"Resource": "*"
}
]
}
This is working fine, but the problem is if I write a script on my local, which is authenticated using aws cli, and write a script (not invoking lambda, normal nodejs script) to Decrypt the Kms is I am able to do so (which I don't want). I only want lambda function to be able to do so. If I restrict IAM user by doing something like this
{
"Version": "2012-10-17",
"Id": keyName,
"Statement": [
{
"Sid": "AllowLambda",
"Effect": "Allow",
"Principal": {
"AWS": roleArn
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": userArn // Replace with the AWS account ID that owns the key
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:GenerateDataKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
}
]
}
Then I am getting error assumed-role is not allowed to decrypt when invoking lambda function.
Fixed it, actually I was decrypting data which was encrypted using a different kms key!