I have a resource policy on my KMS key that allows access from the root account and some additional IAM roles used with Jenkins (Role A).
I was able to update an IAM policy for a User (User B) that allows access to the KMS key ARN and KMS:* actions. This allowed the IAM User to access the key for necessary actions.
From the documentation I was reading I was under the assumption that the KMS key resource policy needed to be updated to allow access to the key, but it seems updating the IAM User's policy allows for access.
How can I secure my KMS key so that the KMS key resource policy is the source of truth for what users/roles are allowed access to the key? Do I need to set an explicit Deny on the KMS key policy and set an excluding condition for Users/Roles that are allowed access?
Is what I'm currently observing the expected behavior with the KMS key policy and IAM User policy? Is this due to the IAM User's policy having an explicit allow for the key?
The effective permissions will be a logical intersection between the identity based policy of the IAM role and the resource based policy of the KMS key.
How can I secure my KMS key so that the KMS key resource policy is the source of truth for what users/roles are allowed access to the key? Do I need to set an explicit Deny on the KMS key policy and set an excluding condition for Users/Roles that are allowed access?
If you wanted to setup a "single source of truth", you would have to have the identity based policy whitelist all KMS actions and have the resource based policy deny certain ones as required.