feat(kms): change default key policy to align with KMS best practices (under feature flag) #11918
Conversation
njlynch
added
the
pr/requires-two-approvers
|
|
… (under feature flag) In #5575, a new flag (`trustAccountIdentities`) was introduced which -- when set -- changes the default key policy from a custom key admin policy to one that grants all access to the key to the root account user. This key policy matches the default policy when a key is created via the KMS APIs or console. For backwards-compatibility reasons, the default for `trustAccountIdentities` had to be set to `false`. Without the flag explicitly set, the default key policy is one that (a) doesn't match the KMS-recommended admin policy and (b) doesn't explicitly enable IAM principal policies to acccess the key. This means that all usage operations (e.g., Encrypt, GenerateDataKey) must be added to both the key policy and to the principal policy. This change introduces a new feature flag to flip the default behavior of the `trustAccountIdentities` flag, so new keys created will have the sane defaults matching the KMS recommended best practices. As a related change, this feature flag also changes the behavior when a user passes in `policy` when creating a Key. Without the feature flag set, the policy is always appended to the default key policy. With the feature flag set, the policy will *override* the default key policy, enabling users to opt-out of the default key policy to introduce a more restrictive policy if desired. This also matches the KMS API behavior, where a policy provided by the user will override the defaults. Marking this PR as `requires-two-approvers` to ensure this PR gets an appropriately-critical review. BREAKING CHANGE: change the default value of trustAccountIdentities to true, which will result in the key getting the KMS-recommended default key policy. This is enabled through the '@aws-cdk/aws-kms:defaultKeyPolicies' feature flag. fixes #8977 fixes #10575 fixes #11309
njlynch
force-pushed
the
njlynch/kms-key-policies
branch
from
4a95875
to
ef7f64a
Compare
|
Note that the PR is broken up into 2 commits: the first is the set of changes to KMS; the second is all of the (integ) tests that were updated due to the change in ordering of the KMS actions for the (old) default admin policy. I could have coded around this, but I really wanted |
There was a problem hiding this comment.
I still feel like I would avoid the feature flag here, and change the default policy (I wouldn't change the append/override behavior though), since it seems like it's so broken. I'm not holding the PR on changing that though.
A few comments, mainly around naming (things which I didn't "grok" when looking at the code on the first pass).
Also, since we're in the area already, is this a good time to handle #4381 ?
...ages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json
Outdated
Show resolved
Hide resolved
This reverts commit ef7f64a.
njlynch
force-pushed
the
njlynch/kms-key-policies
branch
from
996b6e1
to
0307e64
Compare
@skinny85 - The only difference I'm seeing is that S3/DynamoDB That being said, if you (and others) think it's okay to make that change without a feature flag, I'm happy enough to do it as a separate PR right after this one. Just don't want to unnecessarily muddy the waters here. |
|
Thank you for contributing! Your pull request will be automatically updated and merged (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged (do not update manually, and be sure to allow changes to be pushed to your fork). |
… (under feature flag) (aws#11918) In aws#5575, a new flag (`trustAccountIdentities`) was introduced which -- when set -- changes the default key policy from a custom key admin policy to one that grants all access to the key to the root account user. This key policy matches the default policy when a key is created via the KMS APIs or console. For backwards-compatibility reasons, the default for `trustAccountIdentities` had to be set to `false`. Without the flag explicitly set, the default key policy is one that (a) doesn't match the KMS-recommended admin policy and (b) doesn't explicitly enable IAM principal policies to acccess the key. This means that all usage operations (e.g., Encrypt, GenerateDataKey) must be added to both the key policy and to the principal policy. This change introduces a new feature flag to flip the default behavior of the `trustAccountIdentities` flag, so new keys created will have the sane defaults matching the KMS recommended best practices. As a related change, this feature flag also changes the behavior when a user passes in `policy` when creating a Key. Without the feature flag set, the policy is always appended to the default key policy. With the feature flag set, the policy will *override* the default key policy, enabling users to opt-out of the default key policy to introduce a more restrictive policy if desired. This also matches the KMS API behavior, where a policy provided by the user will override the defaults. Marking this PR as `requires-two-approvers` to ensure this PR gets an appropriately-critical review. BREAKING CHANGE: change the default value of trustAccountIdentities to true, which will result in the key getting the KMS-recommended default key policy. This is enabled through the '@aws-cdk/aws-kms:defaultKeyPolicies' feature flag. fixes aws#8977 fixes aws#10575 fixes aws#11309 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
In #5575, a new flag (
trustAccountIdentities) was introduced which -- when set-- changes the default key policy from a custom key admin policy to one that
grants all access to the key to the root account user. This key policy matches
the default policy when a key is created via the KMS APIs or console.
For backwards-compatibility reasons, the default for
trustAccountIdentitieshad to be set to
false. Without the flag explicitly set, the default keypolicy is one that (a) doesn't match the KMS-recommended admin policy and (b)
doesn't explicitly enable IAM principal policies to acccess the key. This means
that all usage operations (e.g., Encrypt, GenerateDataKey) must be added to both
the key policy and to the principal policy.
This change introduces a new feature flag to flip the default behavior of the
trustAccountIdentitiesflag, so new keys created will have the sane defaultsmatching the KMS recommended best practices.
As a related change, this feature flag also changes the behavior when a user
passes in
policywhen creating a Key. Without the feature flag set, the policyis always appended to the default key policy. With the feature flag set, the
policy will override the default key policy, enabling users to opt-out of the
default key policy to introduce a more restrictive policy if desired. This also
matches the KMS API behavior, where a policy provided by the user will override
the defaults.
Marking this PR as
requires-two-approversto ensure this PR gets anappropriately-critical review.
BREAKING CHANGE: change the default value of trustAccountIdentities to true,
which will result in the key getting the KMS-recommended default key
policy. This is enabled through the '@aws-cdk/aws-kms:defaultKeyPolicies'
feature flag.
fixes #8977
fixes #10575
fixes #11309
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license