From 6ebe60c7c58debabdec291be2accfe2b17218928 Mon Sep 17 00:00:00 2001 From: Scott Alexander Date: Wed, 30 May 2018 09:22:58 -0700 Subject: [PATCH] adding link to AWS docs mentioning risks of keys being unmanagable. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2d61634..3201a7d 100644 --- a/README.md +++ b/README.md @@ -1680,7 +1680,7 @@ KMS - 🔸KMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3. - 🔸In order to encrypt a multi-part upload to S3, the KMS Key Policy needs to allow “kms:Decrypt” and “kms:GenerateDataKey*” in addition to “kms:Encrypt”, otherwise the upload will fail with an “AccessDenied” error. - 🔸KMS keys are region specific — they are stored and can only be used in the region in which they are created. They can't be transferred to other regions. -- 🔸KMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset. +- 🔸KMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset [Reduce the Risk of the Key Becoming Unmanagable](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam). - 🔸If you use a key policy to grant access to IAM roles or users and then delete the user/role, recreating the user or role won't grant them permission to the key again.