We have a number of SecureString SSM Parameter Store values created via our bash script automations. These are encrypted with an environment-specific KMS key + Alias created via CloudFormation.
Also in the templates are IAM Roles for our EC2 instances, which need to allow retrieval and decryption of the SSM parameters. To allow this we granted access to those IAM Roles upon KMS key creation by referencing their role ARNs as principles.
However, we have some non-environment-specific SSM variables on our AWS account that persist outside of our environment CloudFormation stacks and are used by all environments.
We have recently adapted those parameters to be encrypted with the default KMS key -- alias/aws/ssm.
This approach causes an issue in regards to automation, as we need to grant usage of the default KMS key to our IAM Roles in CloudFormation. I've read the AWS documentation and cannot figure out a way of doing this.
Has anyone managed to automate this?
The default KMS key alias/aws/ssm is an AWS managed CMK. We cannot establish IAM policies or KMS key policies for AWS Managed CMKs.
Excerpt from AWS KMS FAQ,
AWS will manage the policies associated with AWS managed CMKs on your behalf. You can track AWS managed keys in your account and all usage is logged in AWS CloudTrail, but you have no direct control over the keys themselves.
You don't have worry about defining IAM roles for accessing alias/aws/ssm key, having access to the required SSM parameter is sufficient.