Search code examples
amazon-web-servicesaws-lambdaamazon-kms

How to restrict KMS decryption to only a lambda function and not others?


Hi am trying to write a kms key policy where only a particular lambda function is allowed to encrypt or decrypt kms key not any other person, not even IAM user. Current key policy is like

{
        "Version": "2012-10-17",
        "Id": keyName,
        "Statement": [
            {
                "Sid": "AllowLambda",
                "Effect": "Allow",
                "Principal": {
                    "AWS": roleArn
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": userArn // Replace with the AWS account ID that owns the key
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    }

This is working fine, but the problem is if I write a script on my local, which is authenticated using aws cli, and write a script (not invoking lambda, normal nodejs script) to Decrypt the Kms is I am able to do so (which I don't want). I only want lambda function to be able to do so. If I restrict IAM user by doing something like this

{
        "Version": "2012-10-17",
        "Id": keyName,
        "Statement": [
            {
                "Sid": "AllowLambda",
                "Effect": "Allow",
                "Principal": {
                    "AWS": roleArn
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": userArn // Replace with the AWS account ID that owns the key
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion",
                    "kms:GenerateDataKey",
                    "kms:TagResource",
                    "kms:UntagResource"
                ],
                "Resource": "*"
            }
        ]
    }

Then I am getting error assumed-role is not allowed to decrypt when invoking lambda function.


Solution

  • Fixed it, actually I was decrypting data which was encrypted using a different kms key!