Home > Blockchain >  AWS lambda and kms key aliases
AWS lambda and kms key aliases

Time:11-23

I have a lambda function that uses kms as so

 {
      "Sid": "KMSDecryption",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": [
        "${KMSArn}"
      ]
    }

Originally i set it up in terraform to use the alias only, however this didnt work i had to reference the "arn" to allow the lambda access which makes sense.

{....
.....
  policy_file = templatefile("lambda_policy.json", {
    KMSArn = data.aws_kms_alias.key_alias.target_key_arn
  })
}

data "aws_kms_alias" "key_alias" {
  name = "alias/kms_test"
}

My question is since now the lambda policy has the "arn" in its policy which i have seen in the console. What happens when the keys are rotated, does AWS also update the arn on the lambda to point to the new key...

OR

is there a way to reference the alias in the lambda policy so that it wont matter?

CodePudding user response:

You need to reference the ARN in your policy. You shouldn't worry about rotation. From the enter image description here

  • Related