AWS Unauthorised Operation AWSServiceRoleForConfig on KMS Key Decrypt-CodePudding

Every day I'm seeing some CloudTrail logs for unauthorised KMS decrypt operations and I'm can't figure out what's causing it. Here is an example of the logs:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "*********************:LambdaDescribeHandlerSession",
        "arn": "arn:aws:sts::************:assumed-role/AWSServiceRoleForConfig/LambdaDescribeHandlerSession",
        "accountId": "************",
        "accessKeyId": "********************",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": ""********************",
                "arn": "arn:aws:iam::************:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
                "accountId": "************",
                "userName": "AWSServiceRoleForConfig"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2021-11-28T12:53:33Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "config.amazonaws.com"
    },
    "eventTime": "2021-11-28T12:53:33Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::************:assumed-role/AWSServiceRoleForConfig/LambdaDescribeHandlerSession is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-west-1:************:key/********-****-****-****-************ because no resource-based policy allows the kms:Decrypt action",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "7bb5bcac-29ab-4d03-b2b9-fc9d7125286e",
    "eventID": "5308c08c-2f09-4fbe-bd10-32e7aa9ee43c",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "************",
    "eventCategory": "Management"
}

I've attempted update the KMS policy with the following which doesn't seem to have helped:

        {
            "Sid": "Grant AWS Config Decrypt Access To Avoid Unauthorised Errors",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "kms:Decrypt",
            "Resource": "*"
        }

I've checked the IAM role arn:aws:iam::************:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig and I can see that this does not allow the kms:Decrypt action. However, this is a managed role from AWS and I am unable to update that policy.

Is this an issue that AWS need to resolve? Is it possible to switch Config to using a custom role with the kms:Decrypt action allowed? Is that even worth it or will it just cause more problems in the future when AWS update the managed role and I haven't added something to the custom role?

CodePudding user response：

This may be a bit tricky, because of how KMS does work. First of all, KMS key policies are critical for controlling the access to KMS keys:

https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html

"In AWS KMS, you must attach resource-based policies to your KMS keys. These are called key policies. All KMS keys have a key policy.....You must use the key policy to control access to a KMS key. You can use the key policy alone to control access, which means the full scope of access to the KMS key is defined in a single document (the key policy)."

So the KMS key policy must exist and must allow permissions to the given IAM role - and you did achieve that with kms:Decrypt on *. The IAM Role then does not have to specify any additional permissions. So the AWSServiceRoleForConfig not having any permissions should not be an issue.

The key policies are only regional according to https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Every KMS key must have exactly one key policy. This key policy controls access only to its associated KMS key, along with IAM policies and grants. Unlike IAM policies, which are global, key policies are Regional. Each key policy is effective only in the Region that hosts the KMS key.

So the config service in another region should not have access - not sure if it is your case, because I cannot see the region of all arn in your Cloudtrail.

Next thing is a common misconception about how KMS keys are supposed to be used. Many people assume that you are supposed to decrypt data directly with the KMS key, but that is not the case. The main use case is for encrypting data keys which are then used for data encryption see for example https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys

This is why the limit on the encrypted data is only 4 KB - which should be fine for encryption of any reasonable data key https://aws.amazon.com/kms/faqs/?nc1=h_ls

Q: What is the size limit for data sent to AWS KMS for asymmetric operations? The size limit is 4KB. If you want to digitally sign data larger than 4KB, you have the option to create a message digest of the data and send it to AWS KMS. The digital signature is created over the digest of the data and returned. You specify whether you are sending the full message or a message digest as a parameter in the Sign API request. Any data submitted to the Encrypt, Decrypt, or Re-Encrypt APIs that require use of asymmetric operations must also be less than 4KB.

That means, that in order for the key to be useful, the policy usually needs to allow more than just the kms:Decrypt action. For all AWS services the required permissions are in the documentation and for config it seems to be the following KMS resource policy:

https://docs.aws.amazon.com/config/latest/developerguide/s3-kms-key-policy.html Required Permissions for the KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)

If you set up AWS Config using a service-linked role, you need to attach the following permission policy to the KMS Key.

    {
    "Id": "Policy_ID",
    "Statement": [
        {
            "Sid": "AWSConfigKMSPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "myKMSKeyARN",
            "Condition": { 
                "StringEquals": {
                    "AWS:SourceAccount": "sourceAccountID"
                   }
               }
            }
        ]
    }

It seems to me that the error may be misleading and that your error may mean that the kms:Decrypt may be caused by kms:GenerateDataKey implementation. Let you try to add kms:GenerateDataKey on your KMS resource policy.

If not - check that you are in the same region. If the service is in another region let you look for a documentation about cross-region implementation.

CodePudding user response：

You'll need to grant the assumed role access to the key, not just the config service itself. Typically your key policy will have the following section, which you would need to edit similar to the policy snippet below:

        "Statement": [
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:sts::0123456789:assumed-role/AWSServiceRoleForConfig/LambdaDescribeHandlerSession",
                "arn:aws:iam::0123456789:root"
            ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }

Just turn your existing Principal:AWS element into a list and add in the entry for AWSServiceRoleForConfig in addition to what other entries you already have in that stanza.