Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recent sample configuration change unintentionally blocks all KMS Key Alias deletions #686

Open
5 of 6 tasks
itmustbejj opened this issue Dec 20, 2024 · 1 comment
Open
5 of 6 tasks

Recent sample configuration change unintentionally blocks all KMS Key Alias deletions #686

itmustbejj opened this issue Dec 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@itmustbejj
Copy link

itmustbejj commented Dec 20, 2024
edited
Loading

Describe the bug

A recent change to add DeleteAlias to a sample guardrails SCP had the unintended effect of blocking all DeleteAlias calls for any kms alias, not just ones prefixed with "alias/accelerator*".

The issue is that the DeleteAlias action does not include kms:ResourceAliases in its request context, so this condition:

		"ForAllValues:StringLike": {
          "kms:ResourceAliases": [
            "alias/accelerator*"
          ]
        },

is functionally ignored, and the statement is evaluated as:

{
      "Sid": "PreventKeyModification",
      "Effect": "Deny",
      "Action": [
        "kms:DisableKeyRotation",
        "kms:CancelKeyDeletion",
        "kms:ScheduleKeyDeletion",
        "kms:DisableKey",
        "kms:DeleteAlias"
      ],
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
          ]
        }
      }
    }

To Reproduce
Try to delete any Kms Alias with a role that does not match one of the prefixes in the above condition.

    error: deleting urn:<truncated>: 1 error occurred:
    	* deleting KMS Alias (alias/sand-<truncated>): operation error KMS: DeleteAlias, https response error StatusCode: 400, RequestID: <truncated>, api error AccessDeniedException: User: arn:aws:sts::<truncated>:assumed-role/<truncated> is not authorized to perform: kms:DeleteAlias on resource: arn:aws:kms:<truncated> with an explicit deny in a service control policy

Reverting the recent change adding DeleteAlias allows the deletion to work as expected.

Expected behavior
The SCP only prevents kms aliases prefixed with alias/accelerator* from being deleted by roles not matching those arn prefixes.

Please complete the following information about the solution:

  • Version: 1.11.0
  • Region: [e.g. us-east-1]
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the services this solution uses?
  • Were there any errors in the CloudWatch Logs?

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.
@itmustbejj itmustbejj added the bug Something isn't working label Dec 20, 2024
@itmustbejj
Copy link
Author

cc @keajaared732 @erwaxler

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@itmustbejj