Amazon global condition keys
Amazon defines global condition keys, a set of policy conditions keys for all Amazon services that use IAM for access control. Amazon KMS supports all global condition keys. You can use them in Amazon KMS key policies and IAM policies.
For example, you can use the aws:PrincipalArn global condition key to allow access to an Amazon KMS key (KMS key) only when the principal in the request is represented by the Amazon Resource Name (ARN) in the condition key value. To support attribute-based access control (ABAC) in Amazon KMS, you can use the aws:ResourceTag/tag-key global condition key in an IAM policy to allow access to KMS keys with a particular tag.
To help prevent an Amazon service from being used as a confused deputy in a policy where the principal is an Amazon service principal, you can use the aws:SourceArn or aws:SourceAccount global condition keys. For details, see Using aws:SourceArn or aws:SourceAccount condition keys.
For information about Amazon global condition keys, including the types of requests in
which they are available, see Amazon Global Condition Context Keys
The following topics provide special guidance for using condition keys based on IP addresses and VPC endpoints.
Topics
Using the IP address condition in policies with Amazon KMS permissions
You can use Amazon KMS to protect your data in an integrated Amazon service. But use caution when specifying the IP address condition operators or the aws:SourceIp
condition key in
the same policy statement that allows or denies access to Amazon KMS. For example, the policy in
Amazon: Denies
Access to Amazon Based on the Source IP restricts Amazon actions to requests from
the specified IP range.
Consider this scenario:
-
You attach a policy like the one shown at Amazon: Denies Access to Amazon Based on the Source IP to an IAM identity. You set the value of the
aws:SourceIp
condition key to the range of IP addresses for the user's company. This IAM identity has other policies attached that allow it to use Amazon EBS, Amazon EC2, and Amazon KMS. -
The identity attempts to attach an encrypted EBS volume to an EC2 instance. This action fails with an authorization error even though the user has permission to use all the relevant services.
Step 2 fails because the request to Amazon KMS to decrypt the volume's encrypted data key comes from an IP address that is associated with the Amazon EC2 infrastructure. To succeed, the request must come from the IP address of the originating user. Because the policy in step 1 explicitly denies all requests from IP addresses other than those specified, Amazon EC2 is denied permission to decrypt the EBS volume's encrypted data key.
Also, the aws:sourceIP
condition key is not effective when the request
comes from an Amazon VPC endpoint. To
restrict requests to a VPC endpoint, including an Amazon KMS VPC
endpoint, use the aws:sourceVpce
or aws:sourceVpc
condition keys. For more information, see VPC Endpoints -
Controlling the Use of Endpoints in the Amazon VPC User
Guide.
Using VPC endpoint conditions in policies with Amazon KMS permissions
Amazon KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints that are powered by Amazon PrivateLink. You can use the following global condition keys in key policies and IAM policies to control access to Amazon KMS resources when the request comes from a VPC or uses a VPC endpoint. For details, see Using a VPC endpoint in a policy statement.
-
aws:SourceVpc
limits access to requests from the specified VPC. -
aws:SourceVpce
limits access to requests from the specified VPC endpoint.
If you use these condition keys to control access to KMS keys, you might inadvertently deny access to Amazon services that use Amazon KMS on your behalf.
Take care to avoid a situation like the IP address condition keys example. If you restrict requests for a KMS key to a VPC or VPC endpoint, calls to Amazon KMS from an integrated service, such as Amazon S3 or Amazon EBS, might fail. This can happen even if the source request ultimately originates in the VPC or from the VPC endpoint.