AWS global condition keys
AWS defines global condition keys, a set of policy conditions keys for all AWS services that use IAM for access control. AWS KMS supports all global condition keys. You can use them in AWS KMS key policies and IAM policies.
For example, you can use the aws:PrincipalArn global condition key to allow access to an AWS KMS key (KMS key) only when the principal in the request is represented by the Amazon Resource Name (ARN) in the condition key value. To support attribute-based access control (ABAC) in AWS KMS, you can use the aws:ResourceTag/tag-key global condition key in an IAM policy to allow access to KMS keys with a particular tag.
To help prevent an AWS service from being used as a confused deputy in a policy where the principal is an AWS service principal, you can use the aws:SourceArn or aws:SourceAccount global condition keys. For details, see Using aws:SourceArn or aws:SourceAccount condition keys.
For information about AWS global condition keys, including the types of requests in which they are available, see AWS Global Condition Context Keys in the IAM User Guide. For examples of using global condition keys in IAM policies, see Controlling Access to Requests and Controlling Tag Keys in the IAM User Guide.
The following topics provide special guidance for using condition keys based on IP addresses and VPC endpoints.
Topics
Using the IP address condition in policies with AWS KMS permissions
You can use AWS KMS to protect your data in an integrated AWS service. But use caution when specifying the IP address condition operators or the aws:SourceIp
condition key in
the same policy statement that allows or denies access to AWS KMS. For example, the policy in
AWS: Denies
Access to AWS Based on the Source IP restricts AWS actions to requests from
the specified IP range.
Consider this scenario:
-
You attach a policy like the one shown at AWS: Denies Access to AWS Based on the Source IP to an IAM identity. You set the value of the
aws:SourceIp
condition key to the range of IP addresses for the user's company. This IAM identity has other policies attached that allow it to use Amazon EBS, Amazon EC2, and AWS KMS. -
The identity attempts to attach an encrypted EBS volume to an EC2 instance. This action fails with an authorization error even though the user has permission to use all the relevant services.
Step 2 fails because the request to AWS KMS to decrypt the volume's encrypted data key comes from an IP address that is associated with the Amazon EC2 infrastructure. To succeed, the request must come from the IP address of the originating user. Because the policy in step 1 explicitly denies all requests from IP addresses other than those specified, Amazon EC2 is denied permission to decrypt the EBS volume's encrypted data key.
Also, the aws:sourceIP
condition key is not effective when the request
comes from an Amazon VPC endpoint. To
restrict requests to a VPC endpoint, including an AWS KMS VPC
endpoint, use the aws:sourceVpce
or aws:sourceVpc
condition keys. For more information, see VPC Endpoints -
Controlling the Use of Endpoints in the Amazon VPC User
Guide.
Using VPC endpoint conditions in policies with AWS KMS permissions
AWS KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints that are powered by AWS PrivateLink. You can use the following global condition keys in key policies and IAM policies to control access to AWS KMS resources when the request comes from a VPC or uses a VPC endpoint. For details, see Use VPC endpoints to control access to AWS KMS resources.
-
aws:SourceVpc
limits access to requests from the specified VPC. -
aws:SourceVpce
limits access to requests from the specified VPC endpoint.
If you use these condition keys to control access to KMS keys, you might inadvertently deny access to AWS services that use AWS KMS on your behalf.
Take care to avoid a situation like the IP address condition keys example. If you restrict requests for a KMS key to a VPC or VPC endpoint, calls to AWS KMS from an integrated service, such as Amazon S3 or Amazon EBS, might fail. This can happen even if the source request ultimately originates in the VPC or from the VPC endpoint.