Added kms:GenerateDataKey action to KMSEncryptPolicy policy #3657
Conversation
|
I see in the issue comments that someone requested these Actions Any reason why we shouldn't include |
TBH I wasn't sure what these additional permissions were used for, and rather than adding permissions that might not be needed, I was just trying to resolve my own simple use-case of encrypting a value (i.e. principle of least privilege). I will change my specification of "kms:GenerateDataKey" to "kms:GenerateDataKey*", to allow the use of all of these encryption functions:
But regarding the others: I think the pertinent question is whether it is more appropriate to include kms:ReEncryptFrom, ReEncryptTo and kms:DescribeKey in the KMSEncryptPolicy definition, or create separate policy definitions for those? (I don't believe I'm qualified to answer that question myself, and TBH I have no need of these additional permissions.) |
|
I noticed that almost all other policies listed actions explicitly, rather than using "*" (wildcard), so I've done the same in the latest commit. |
I can take a look at this |
… "KMSEncryptPolicy" definition.
This is now complete in the latest commit. Please let me know if anything is still outstanding? Thanks, |
|
@aaythapa can you please fix the status of this pull request. I seem to have inadvertently marked it for review. Sorry about that! :-( |
Issue
#1796 KMSEncryptPolicy cannot be used to encrypt
Description of changes
The KMSEncryptPolicy policy lacks the permission required to encrypt data using a data key. This trivial fix adds the missing permission.
Description of how you validated changes
Copied and pasted the change into the policy on AWS (that had been deployed using SAM), and confirmed that this allowed the encrypt function to work.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.