Amazon global condition keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon global condition keys

Amazon defines global condition keys, a set of policy conditions keys for all Amazon services that use IAM for access control. Amazon KMS supports all global condition keys. You can use them in Amazon KMS key policies and IAM policies.

For example, you can use the aws:PrincipalArn global condition key to allow access to an Amazon KMS key (KMS key) only when the principal in the request is represented by the Amazon Resource Name (ARN) in the condition key value. To support attribute-based access control (ABAC) in Amazon KMS, you can use the aws:ResourceTag/tag-key global condition key in an IAM policy to allow access to KMS keys with a particular tag.

To help prevent an Amazon service from being used as a confused deputy in a policy where the principal is an Amazon service principal, you can use the aws:SourceArn or aws:SourceAccount global condition keys. For details, see Using aws:SourceArn or aws:SourceAccount condition keys.

Important

Use caution when specifying the aws:PrincipalIsAWSService condition key in a key policy.

When an Amazon Web Service creates a grant on the KMS key where the grantee principal is an Amazon internal value that aws:PrincipalIsAWSService doesn't recognize, the aws:PrincipalIsAWSService condition can evaluate to FALSE even when an Amazon Web Service uses your KMS key. Specifically, do not rely on the aws:PrincipalIsAWSService condition key in a key policy if your CloudTrail logs include events for a Amazon KMS API operation where the userIdentity.invokedBy value is AWS Internal.

For information about Amazon global condition keys, including the types of requests in which they are available, see Amazon Global Condition Context Keys in the IAM User Guide. For examples of using global condition keys in IAM policies, see Controlling Access to Requests and Controlling Tag Keys in the IAM User Guide.

The following topics provide special guidance for using condition keys based on IP addresses and VPC endpoints.

Using the IP address condition in policies with Amazon KMS permissions

You can use Amazon KMS to protect your data in an integrated Amazon service. But use caution when specifying the IP address condition operators or the aws:SourceIp condition key in the same policy statement that allows or denies access to Amazon KMS. For example, the policy in Amazon: Denies Access to Amazon Based on the Source IP restricts Amazon actions to requests from the specified IP range.

Consider this scenario:

  1. You attach a policy like the one shown at Amazon: Denies Access to Amazon Based on the Source IP to an IAM user. You set the value of the aws:SourceIp condition key to the range of IP addresses for the user's company. This IAM user has other policies attached that allow it to use Amazon EBS, Amazon EC2, and Amazon KMS.

  2. The user attempts to attach an encrypted EBS volume to an EC2 instance. This action fails with an authorization error even though the user has permission to use all the relevant services.

Step 2 fails because the request to Amazon KMS to decrypt the volume's encrypted data key comes from an IP address that is associated with the Amazon EC2 infrastructure. To succeed, the request must come from the IP address of the originating user. Because the policy in step 1 explicitly denies all requests from IP addresses other than those specified, Amazon EC2 is denied permission to decrypt the EBS volume's encrypted data key.

Also, the aws:sourceIP condition key is not effective when the request comes from an Amazon VPC endpoint. To restrict requests to a VPC endpoint, including an Amazon KMS VPC endpoint, use the aws:sourceVpce or aws:sourceVpc condition keys. For more information, see VPC Endpoints - Controlling the Use of Endpoints in the Amazon VPC User Guide.

Using VPC endpoint conditions in policies with Amazon KMS permissions

Amazon KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints that are powered by Amazon PrivateLink. You can use the following global condition keys in key policies and IAM policies to control access to Amazon KMS resources when the request comes from a VPC or uses a VPC endpoint. For details, see Using a VPC endpoint in a policy statement.

  • aws:SourceVpc limits access to requests from the specified VPC.

  • aws:SourceVpce limits access to requests from the specified VPC endpoint.

If you use these condition keys to control access to KMS keys, you might inadvertently deny access to Amazon services that use Amazon KMS on your behalf.

Take care to avoid a situation like the IP address condition keys example. If you restrict requests for a KMS key to a VPC or VPC endpoint, calls to Amazon KMS from an integrated service, such as Amazon S3 or Amazon EBS, might fail. This can happen even if the source request ultimately originates in the VPC or from the VPC endpoint.