From dff5fa2e73cf7ba0312dc433b5c1ce67a9f65986 Mon Sep 17 00:00:00 2001 From: Scott Alexander Date: Tue, 29 May 2018 23:21:04 -0700 Subject: [PATCH 1/3] adding links to KMS gotchas in main list --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 801a0b2..82aee31 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ Table of Contents | [Route 53](#route-53) | [📗](#route-53-basics) | [📘](#route-53-tips) | | | [CloudFormation](#cloudformation) | [📗](#cloudformation-basics) | [📘](#cloudformation-tips) | [📙](#cloudformation-gotchas-and-limitations) | | [VPCs, Network Security, and Security Groups](#vpcs-network-security-and-security-groups) | [📗](#vpc-basics) | [📘](#vpc-and-network-security-tips) | [📙](#vpc-and-network-security-gotchas-and-limitations) | -| [KMS](#kms) | [📗](#kms-basics) | [📘](#kms-tips) | | +| [KMS](#kms) | [📗](#kms-basics) | [📘](#kms-tips) | [📙](#kms-gotchas-and-limitations) | | [CloudFront](#cloudfront) | [📗](#cloudfront-basics) | [📘](#cloudfront-tips) | [📙](#cloudfront-gotchas-and-limitations) | | [DirectConnect](#directconnect) | [📗](#directconnect-basics) | [📘](#directconnect-tips) | | | [Redshift](#redshift) | [📗](#redshift-basics) | [📘](#redshift-tips) | [📙](#redshift-gotchas-and-limitations) | From 2c2876ddad37fd0510fad2ba409fa9a85fb9d1c4 Mon Sep 17 00:00:00 2001 From: Scott Alexander Date: Tue, 29 May 2018 23:21:18 -0700 Subject: [PATCH 2/3] adding two new KMS gotchas --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 82aee31..2d61634 100644 --- a/README.md +++ b/README.md @@ -1680,6 +1680,9 @@ KMS - 🔸KMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3. - 🔸In order to encrypt a multi-part upload to S3, the KMS Key Policy needs to allow “kms:Decrypt” and “kms:GenerateDataKey*” in addition to “kms:Encrypt”, otherwise the upload will fail with an “AccessDenied” error. - 🔸KMS keys are region specific — they are stored and can only be used in the region in which they are created. They can't be transferred to other regions. +- 🔸KMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset. +- 🔸If you use a key policy to grant access to IAM roles or users and then delete the user/role, recreating the user or role won't grant them permission to the key again. + CloudFront ---------- From 6ebe60c7c58debabdec291be2accfe2b17218928 Mon Sep 17 00:00:00 2001 From: Scott Alexander Date: Wed, 30 May 2018 09:22:58 -0700 Subject: [PATCH 3/3] adding link to AWS docs mentioning risks of keys being unmanagable. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2d61634..3201a7d 100644 --- a/README.md +++ b/README.md @@ -1680,7 +1680,7 @@ KMS - 🔸KMS audit events are not available in the [CloudTrail Lookup Events API](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html). You need to look find them in the raw .json.gz files that CloudTrail saves in S3. - 🔸In order to encrypt a multi-part upload to S3, the KMS Key Policy needs to allow “kms:Decrypt” and “kms:GenerateDataKey*” in addition to “kms:Encrypt”, otherwise the upload will fail with an “AccessDenied” error. - 🔸KMS keys are region specific — they are stored and can only be used in the region in which they are created. They can't be transferred to other regions. -- 🔸KMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset. +- 🔸KMS keys have a key policy that must grant access to something to manage the key. If you don't grant anything access to the key on creation, then you have to reach out to support to have the key policy reset [Reduce the Risk of the Key Becoming Unmanagable](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam). - 🔸If you use a key policy to grant access to IAM roles or users and then delete the user/role, recreating the user or role won't grant them permission to the key again.