I wrote the function below:
private List<KeyListEntry> getKeyListEntries(AWSKMS kms)
{
ListKeysRequest listKeysRequest = new ListKeysRequest();
List<KeyListEntry> kmsKeys = new ArrayList<>();
boolean moreKeys = false;
do
{
ListKeysResult listKeysResult = kms.listKeys(listKeysRequest);
kmsKeys.addAll(listKeysResult.getKeys());
moreKeys = listKeysResult.getNextMarker() != null && !listKeysResult.getNextMarker().equals("");
listKeysRequest.setMarker(listKeysResult.getNextMarker());
} while (moreKeys);
return kmsKeys;
}
It builds a list of all KMS keys in my account. The 'moreKeys' flag is to handle pagination of the response. Elsewhere on this list, I am calling:
kms.listResourceTags
so I can determine the tags on each individual key and perform an action accordingly. My problem is, I am usually at some point hitting the default master keys, for ACM and etc.
These policies for default keys do not allow the root account to do kms:ListResourceTags, and I cannot modify them to change that. Is there a simple way for me to filter out as I am building the list so I can ignore any AWS default KMS keys?
This ended up being an Amazon bug! I raised a case and the policy was fixed by the ACM team on the default key.