Permissions for the KMS Key for the Amazon Config Delivery Channel
Use the information in this topic if you want to create a policy for an Amazon KMS key for your S3 bucket that allows you to use KMS-based encryption on objects delivered by Amazon Config for S3 bucket delivery.
Contents
Required Permissions for the KMS Key When Using IAM Roles (S3 Bucket Delivery)
If you set up Amazon Config using an IAM role, you can attach the follow permission policy to the KMS Key:
{ "Id": "Policy_ID", "Statement": [ { "Sid": "AWSConfigKMSPolicy", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "*myKMSKeyARN*", "Principal": { "AWS": [ "account-id1", "account-id2", "account-id3" ] } } ] }
Note
If the IAM role, Amazon S3 bucket policy, or Amazon KMS key do not provide appropriate access to Amazon Config, then Amazon Config’s attempt to send configuration information to the Amazon S3 bucket will fail. In this event, Amazon Config sends the information again, this time as the Amazon Config service principal. For this case, you must attach a permission policy, mentioned below, to the Amazon KMS key to grant Amazon Config access to use the key when delivering information to the Amazon S3 bucket.
Required Permissions for the Amazon KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)
The Amazon Config service-linked role does not have permission to access the Amazon KMS key. So, if you set up Amazon Config using a service-linked role, Amazon Config will send information as the Amazon Config service principal instead. You will need to attach an access policy, mentioned below, to the Amazon KMS key to grant Amazon Config access to use the Amazon KMS key when delivering information to the Amazon S3 bucket.
Granting Amazon Config access to the Amazon KMS Key
This policy allows Amazon Config to use an Amazon KMS key when delivering information to an Amazon S3 bucket
{ "Id": "Policy_ID", "Statement": [ { "Sid": "AWSConfigKMSPolicy", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "myKMSKeyARN", "Condition": { "StringEquals": { "AWS:SourceAccount": "sourceAccountID" } } } ] }
Substitute the following values in the key policy:
-
myKMSKeyARN– The ARN of the Amazon KMS key used to encrypt data in the Amazon S3 bucket that Amazon Config will deliver configuration items to. -
sourceAccountID– The ID of the account for which Amazon Config will deliver configuration items to.
You can use the AWS:SourceAccount condition in the Amazon KMS key policy above
to restrict the Config service principal to only interact with the Amazon KMS key when
performing operations on behalf of specific accounts.
Amazon Config also supports the AWS:SourceArn condition which restricts the Config
service principal to only interact with the Amazon S3 bucket when performing operations on
behalf of specific Amazon Config delivery channels. When using the Amazon Config service principal, the
AWS:SourceArn property will always be set to
arn:aws:config:sourceRegion:sourceAccountID:* where
sourceRegion is the region of the delivery channel and
sourceAccountID is the ID of the account containing the delivery
channel. For more information on Amazon Config delivery channels, see Managing the Delivery
Channel. For example, add the following condition to restrict the Config service
principal to interact with your Amazon S3 bucket only on behalf of a delivery channel in the
us-east-1 region in the account 123456789012:
"ArnLike": {"AWS:SourceArn":
"arn:aws:config:us-east-1:123456789012:*"}.