amazon-web-services security aws-lambda amazon-kms

Managing access to KMS key to be used only a lambda

I have a use case where a kms key would be used to encrypt and decrypt data . how can I make sure that only the specific lambda should be able to use the kms key from AWS polices .

I tried adding Lambda ARN in kms key policies while creating, but looks like its not allowed to do the same .

how can I achieve my use case ?

Solution

Here are the steps:

Create an IAM Role for Lambda without any permissions attached.
Select the same for Define key usage permissions while creating the key.
Attach the IAM Role to the Lambda.
Start using the KMS Key in the Lambda.

As per the AWS KMS documentation

The default key policy that the console creates for symmetric CMKs allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.

AWS RDS: FATAL: password authentication failed for user "postgres"
AWS Lambda Function Keep It Alive
Cognito - Client is not enabled for OAuth2.0 flows
Are old AWS Lambda layers automatically removed? If not, how to delete them?
custom tag on EBS volume provisioned dynamically by Kubernetes
Amazon EC2 resize root device
Check which ebextensions have been run
How to change the name of a record set in Route 53 using python boto3?
AWS MQ Maintenance window
How can I control which EC2 instances get removed by an AutoScalingGroup using Amazon Web Services?
How to add --init parameter to AWS ECS Task
Pod limit on Node - AWS EKS
AWS Elastic Beanstalk: Update Platform Version & custom AMI
How to set up application load balancer (ALB) with AutoScalingGroup (ASG)
Redshift INSERT INTO TABLE from CTE
VPC SQS Endpoint dont show any dataflow for event from S3 to SQS and SQS to Lambda
How to Dynamodb send message to SQS
How to Secure amazon s3 bucket web URL of a resource against unauthorised user
Use terraform to set up a lambda function triggered by a scheduled event source
How to create aws-ebs-csi-driver with eks_blueprints_addons by Terraform?
Your current user or role does not have access to Kubernetes objects on this EKS cluster
S3: What event (in target bucket) is generated when a file is replicated to target bucket?
How can I responsibly deploy a Neo4j docker container in AWS?
Zip multiple S3 files and stream the archive back to S3 using limited memory
Reached your quota for maximum Fleet Requests for this account
EBS vs EFS read and write latencies
AWS - Any way to have cross-AZ redundancy with EBS
How to enable ReadWriteMany access mode using an io2 EBS Volume
How the multiple replicas of k8s deployment running on different node read from aws EBS volume in READWRITEMANY pv mode?
AWS Spring boot Nginx - File upload 1KB works - 250KB fails with 403 Forbidden