Skip to content

Commit

Permalink
Merge pull request #606 from salexpdx/master
Browse files Browse the repository at this point in the history 
Adding some KMS Gotchas
  • Loading branch information
@QuinnyPig
QuinnyPig authored May 30, 2018
2 parents be6809e + 6ebe60c commit 8e06fca
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ Table of Contents
| [Route 53](#route-53) | [πŸ“—](#route-53-basics) | [πŸ“˜](#route-53-tips) | |
| [CloudFormation](#cloudformation) | [πŸ“—](#cloudformation-basics) | [πŸ“˜](#cloudformation-tips) | [πŸ“™](#cloudformation-gotchas-and-limitations) |
| [VPCs, Network Security, and Security Groups](#vpcs-network-security-and-security-groups) | [πŸ“—](#vpc-basics) | [πŸ“˜](#vpc-and-network-security-tips) | [πŸ“™](#vpc-and-network-security-gotchas-and-limitations) |
| [KMS](#kms) | [πŸ“—](#kms-basics) | [πŸ“˜](#kms-tips) | |
| [KMS](#kms) | [πŸ“—](#kms-basics) | [πŸ“˜](#kms-tips) | [πŸ“™](#kms-gotchas-and-limitations) |
| [CloudFront](#cloudfront) | [πŸ“—](#cloudfront-basics) | [πŸ“˜](#cloudfront-tips) | [πŸ“™](#cloudfront-gotchas-and-limitations) |
| [DirectConnect](#directconnect) | [πŸ“—](#directconnect-basics) | [πŸ“˜](#directconnect-tips) | |
| [Redshift](#redshift) | [πŸ“—](#redshift-basics) | [πŸ“˜](#redshift-tips) | [πŸ“™](#redshift-gotchas-and-limitations) |
Expand Down Expand Up @@ -1680,6 +1680,9 @@ KMS
- πŸ”ΈKMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3.
- πŸ”ΈIn order to encrypt a multi-part upload to S3, the KMS Key Policy needs to allow β€œkms:Decrypt” and β€œkms:GenerateDataKey*” in addition to β€œkms:Encrypt”, otherwise the upload will fail with an β€œAccessDenied” error.
- πŸ”ΈKMS keys are region specific β€” they are stored and can only be used in the region in which they are created. They can't be transferred to other regions.
- πŸ”ΈKMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset [Reduce the Risk of the Key Becoming Unmanagable](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam).
- πŸ”ΈIf you use a key policy to grant access to IAM roles or users and then delete the user/role, recreating the user or role won't grant them permission to the key again.


CloudFront
----------
Expand Down

0 comments on commit 8e06fca

Please sign in to comment.